Researchers from a cybersecurity agency revealed the details of the Russian state-supported hacking outfit known as APT28 or Fancy Bear, which has been scanning vulnerable email servers for over a year.
Security researchers discovered that the Russian hacking staff was targeting defense companies with Middle Eastern outposts since May 2019.
38% of the hacks focused defense corporations, banking, construction, and government bodies.
The list of victims further included a couple of non-public schools in France and the U.K. and even a kindergarten in Germany.
The Fancy Bear crew used credential-phishing techniques to additionally target and hack the email accounts for a higher strike rate.
Researchers discovered that the threat group was port-scanning mail servers similar to Microsoft Exchange via TCP ports 443 and 1433. They’d expect to find a weak system to use and explore hack surfaces to help their ongoing campaign.
APT28’s spam-sending tactics contained the use of VPNs to hide their traces. “Pawn Storm regularly makes use of the OpenVPN option of commercial VPN service suppliers to connect to a dedicated host that sends out spam.
The dedicated spam-sending servers used explicit domain names in the EHLO command of the SMTP sessions with the targets’ mail servers.
Recently, Western governments publicly blamed the APT28 group for its attack campaigns against Georgia, a former Soviet republic, in recent times.