Fancy Bear, APT28 Threat Actor sniffing middle East defence firms.

The Russian-linked Military intelligence sponsored cyberespionage group known with several names as APT28, Sednit, Pawn Storm, Fancy Bear and Strontium active since 2004 and relied on zero-days and malware to target their victims, from the east back in May last year using previously hacked email accounts belonging to high-profile personnel working at defence firms in the Middle East to carry out the operation went on sending credential phishing tactics, according to cybersecurity firm Trend Micro

“The actor connects to a dedicated server using the OpenVPN option of a commercial VPN provider and then uses compromised email credentials to send out credential spam via a commercial email service provider,” said Trend Micro

Using of compromised email accounts from the government, financial, utilities and transportation sectors, Pawn Storm firing off phishing attacks in the Gulf Cooperation Council (GCC) Countries and not just government, military and political organizations they also targeted IT companies, academia, law enforcement firms, and airport around the world, says Trend Micro.

In their ongoing campaign APT28 perform port-scanning mail servers, including Microsoft Exchange Autodiscover box on TCP ports 443 and 1433 in the hope of finding vulnerable machines to exploit, and use as a staging post.

What should you do if Fancy Bear or APT28 targets you?

It is advised to keep an eye on your infrastructure for any unusual access patterns, patch your systems regularly when released by the vendors, and most important educate your employees not to click on links in unexpected emails.