BlueDelta Hackers Target Ukrainian Webmail Users in Sophisticated Credential Theft Campaign
A recent cyber-espionage campaign has been identified, targeting users of UKR.NET, a widely used Ukrainian webmail and news service. This operation is attributed to BlueDelta, a Russian state-sponsored hacking group also known as APT28, Fancy Bear, and Forest Blizzard. Active for over a decade, BlueDelta focuses on infiltrating government agencies, defense contractors, and other high-value targets to support Russia’s military intelligence objectives.
Campaign Overview
Between June 2024 and April 2025, BlueDelta orchestrated a credential-harvesting operation by creating counterfeit UKR.NET login pages. These deceptive pages were designed to capture users’ usernames, passwords, and two-factor authentication codes. To host these fake login portals, the attackers utilized free web services such as Mocky and DNS EXIT, which helped obscure their activities and complicate tracking efforts.
The distribution method involved sending PDF files to targeted individuals. These PDFs contained links directing recipients to the fraudulent login pages. This tactic was strategically chosen to bypass automated email security systems and sandbox tools that typically scan for malicious content, thereby increasing the likelihood of successful credential theft.
Evolution of Tactics
In early 2024, following disruptions to their previous infrastructure by law enforcement agencies, BlueDelta adapted its methods. Recorded Future analysts observed that the group shifted from using compromised routers to employing proxy tunneling services like ngrok and Serveo. These platforms allowed the attackers to mask the true locations of their servers while effectively capturing victims’ credentials. This evolution underscores the group’s resilience and commitment to gathering sensitive information from Ukrainian users amid ongoing geopolitical tensions.
Credential-Harvesting Mechanism
The counterfeit login pages incorporated custom JavaScript code designed to intercept and transmit user information to servers controlled by the attackers. This code not only captured login credentials but also relayed CAPTCHA challenges to domains operating on unusual port numbers, such as `kfghjerrlknsm[.]line[.]pm:11962`. Additionally, the attackers implemented code to record victims’ IP addresses using HTTPBin, a free API service, further enhancing their data collection capabilities.
In subsequent iterations of the campaign, BlueDelta refined their JavaScript to disable ngrok’s browser warning page. By adding the line `req.setRequestHeader(ngrok-skip-browser-warning, 1);`, they prevented victims from encountering security alerts when accessing the fake login pages through the proxy service. This modification increased the perceived legitimacy of the fraudulent pages, reducing the likelihood of detection by the targets.
Complex Attack Infrastructure
BlueDelta constructed a multi-layered infrastructure to execute their credential-harvesting campaign, consisting of up to six distinct layers between the victim and the final server. The initial layer employed link-shortening services like TinyURL and Linkcuts to distribute the malicious links. The second layer hosted the counterfeit login pages on platforms such as Mocky. The third layer utilized ngrok tunneling domains to connect to dedicated servers located in France and Canada. This intricate setup was designed to obfuscate the attack’s origin and complicate efforts by security teams to trace and dismantle the operation.
Throughout the campaign period, Recorded Future researchers identified over 42 different credential-harvesting chains, highlighting the scale and persistence of BlueDelta’s efforts. This extensive and sophisticated approach underscores the group’s commitment to compromising Ukrainian webmail users and obtaining sensitive information.
Implications and Recommendations
The activities of BlueDelta represent a significant threat to individuals and organizations relying on UKR.NET and similar services. The use of advanced techniques, such as multi-layered infrastructure and proxy tunneling, demonstrates the evolving nature of state-sponsored cyber threats.
To mitigate the risk of such attacks, users are advised to:
– Verify Authenticity: Always ensure that login pages are legitimate by checking the URL and looking for HTTPS encryption.
– Be Cautious with Email Attachments: Avoid opening PDF files or clicking on links from unknown or untrusted sources.
– Enable Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access.
– Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by malicious actors to enhance personal and organizational security measures.
By adopting these practices, users can better protect themselves against sophisticated credential-harvesting campaigns like those conducted by BlueDelta.
