Attacks with the Headlace information-stealing malware and credential-harvesting sites were deployed by Russian state-backed threat operation APT28 — also known as Fancy Bear, Sednit, BlueDelta, Sofacy Group, STRONTIUM, and Pawn Storm — against European networks as part of multi-stage espionage campaign between April and December, reports Security Affairs.
Organizations that passed the sandbox, operating system, and targeted country checks conducted by APT28 were injected with a malicious Windows BAT script that enabled shell command execution, according to a report from Recorded Future's Insikt Group.
Moreover, Ukraine's Ministry of Defence, the Azerbaijan Center for Economic and Social Development, and European railway systems were primarily targeted by the credential-harvesting sites with two-factor authentication bypass capabilities. Further analysis revealed most Headlace and credential-harvesting attacks launched by APT28 since 2022 have been targeted at Ukraine.
"Türkiye might seem like an unexpected target with 10%, but it’s important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting," said researchers.
