Research has shown that foreign diplomatic missions and non-governmental organizations in Ukraine are not adequately protecting their staff from basic phishing attacks, which poses a serious risk to government personnel and national security. A recent investigation into a repeated phishing campaign revealed that the tactics used were virtually identical to those used in previous years.
Last year, Palo Alto Networks’ Unit 42 team uncovered a phishing attempt by the Cozy Bear group, where Russian hackers posed as a Polish official selling a BMW 5 Series. This campaign targeted diplomats from various countries, including Albania, Argentina, Canada, and the US. This year, a similar campaign by the Fancy Bear group, also known as APT28, involved a fake staffer from the Southeast Europe Law Enforcement Center trying to sell an Audi Q7 Quattro SUV.
The Fancy Bear campaign, which started in March 2024, is distinct from the Cozy Bear campaign and uses different tactics. This group used a legitimate web service to create a malicious HTML page that, when clicked, downloaded and executed the HeadLace backdoor malware on the victim’s computer. This gives Fancy Bear deeper access to targeted organizations.
While Cozy Bear and Fancy Bear are believed to operate under different Russian intelligence agencies, there is some overlap in their operations. Both groups have been known to collaborate in the past, sometimes under the name Grizzly Steppe. It is important for organizations to be aware of these threats and take steps to protect themselves against phishing attacks.