Threat Research

GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns

RecordedFuture

Insikt Group details GRU BlueDelta campaigns across Europe targeting key networks with Headlace malware and credential-harvesting pages, deployed in three phases from April to December 2023. The operations used phishing, compromised internet services, and LOLBins to extract intelligence, focusing on Ukraine, European rail infrastructure, and an Azerbaijani think tank. #BlueDelta #Headlace #GRU #UkraineMoD #EuropeanRailways #AzerbaijanCenterforEconomicandSocialDevelopment #Yahoo #UKRnet

Keypoints

  • GRU BlueDelta campaigns target European networks with information-stealing Headlace malware and credential-harvesting pages.
  • Headlace was deployed in three phases between April and December 2023, using phishing, LIS, and LOLBins to operate.
  • Phishing emails were used, sometimes mimicking legitimate communications to increase effectiveness.
  • Credential harvesting pages targeted Yahoo and ukr.net, capable of handling 2FA and CAPTCHA challenges.
  • Targets include Ukraine’s Ministry of Defence, European railway infrastructure, and an Azerbaijani think tank.
  • Operations demonstrate a broader Russian strategic effort to influence regional and military dynamics and underscore the need for stronger phishing defenses, LIS restrictions, and critical infrastructure monitoring.

MITRE Techniques

  • [T1566] Phishing – Used phishing emails, sometimes mimicking legitimate communications to increase effectiveness. ‘phishing emails, sometimes mimicking legitimate communications to increase effectiveness.’
  • [T1583] Acquire Infrastructure – Exploited legitimate internet services (LIS) to host or facilitate operations. ‘exploits legitimate internet services (LIS) and living off-the-land binaries (LOLBins), further disguising their operations within regular network traffic.’
  • [T1059] Command and Scripting Interpreter – Leveraged living off-the-land binaries (LOLBins) to execute and blend into normal traffic. ‘living off-the-land binaries (LOLBins), further disguising their operations within regular network traffic.’
  • [T1555] Credentials in Web Services – Credential harvesting pages targeted Yahoo and UKR.net, capable of relaying two-factor authentication and CAPTCHA challenges. ‘relaying two-factor authentication and CAPTCHA challenges.’

Indicators of Compromise

  • [Domain] Target domains – yahoo.com, ukr.net. ‘Credential harvesting pages targeted Yahoo and UKR[.]net.’

Read more: https://www.recordedfuture.com/grus-bluedelta-targets-key-networks-in-europe-with-multi-phase-espionage-camp

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint