HeadLace: How Russian Hackers Are Infiltrating Europe’s Networks, here is what we know. A Quick Look

The Russian GRU-backed threat actor APT28 has been attributed as behind a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Russia’s strategic military intelligence unit, the GRU.

Stealth and Sophistication

The hacks operate with an elevated level of stealth and sophistication, often demonstrating their adaptability through deep preparedness and custom tooling. They rely on legitimate internet services (LIS) and ‘living off-the-land binaries’ (LOLBins) to conceal their operations within regular network traffic. From April to December 2023, BlueDelta deployed HeadLace malware in three distinct phases using geofencing techniques to target networks throughout Europe, with a heavy focus on Ukraine. These espionage activities reflect a broader strategy aimed at gathering intelligence on entities with military significance to Russia in the context of its ongoing aggression against Ukraine.

Spear-Phishing Emails

HeadLace, as previously documented by the Computer Emergency Response Team of Ukraine (CERT-UA), Zscaler, Proofpoint, and IBM X-Force, is distributed via spear-phishing emails containing malicious links. When clicked, these links initiate a multi-stage infection sequence to drop the malware. BlueDelta employed a 7-stage infrastructure chain during the first phase to deliver a malicious Windows BAT script (i.e., HeadLace) capable of downloading and running follow-on shell commands, subject to sandbox and geofencing checks. The second phase, which began on September 28, 2023, used GitHub as the starting point of the redirection infrastructure, while the third phase switched to using PHP scripts hosted on InfinityFree beginning October 17, 2023. The last detected activity in Phase 3 was in December 2023, after which BlueDelta likely ceased using InfinityFree hosting and favored hosting infrastructure on webhook.site and mocky.io directly.

Credential Harvesting Operations

BlueDelta also undertook credential harvesting operations designed to target services like Yahoo! and UKR.net by serving lookalike pages. These pages ultimately trick victims into entering their credentials. Another technique involved creating dedicated web pages on Mocky that interact with a Python script running on compromised Ubiquiti routers to exfiltrate the entered credentials. Earlier this February, a U.S.-led law enforcement operation disrupted a botnet comprising Ubiquiti EdgeRouters that APT28 had put to use for this purpose. The targets of the credential harvesting activity included the Ukrainian Ministry of Defence, Ukrainian weapons import and export companies, European railway infrastructure, and a think tank based in Azerbaijan.

In summary, the HeadLace malware campaign orchestrated by APT28 demonstrates the group’s sophisticated tactics, adaptability, and strategic focus on gathering intelligence. As Europe remains a prime target, organizations must remain vigilant and take proactive measures to defend against such cyber threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.