In recent cybersecurity investigations, Cluster25, a threat intelligence agency, has detected a spear-phishing operation named ‘The Bear and the Shell’. This campaign largely focuses on organizations and individuals who publicly oppose the Russian government or support dissident movements. The attackers utilize social engineering methods, presenting credible-looking bait to trap their targets.
Techniques of Deception and Control
One notable method used involves a fake NASA job offer sent via email, which contains a ZIP file. When unsuspecting victims open the file, it installs an HTTP-Shell, a multiplatform reverse shell, on their system. Although this shell originates from open-source software, in the wrong hands, it can be repurposed for harmful activities such as file manipulation, directory exploration, and connecting to a command and control (C&C) server. In this campaign, the C&C server is cleverly concealed, appearing as a benign PDF editing website to avoid detection.
Expanding the Campaign’s Horizon
Cluster25’s further analysis revealed that this NASA-themed exploit is just the tip of the iceberg. Multiple campaigns exhibit similar attack patterns, use identical shortcut icons, and utilize recurring lure themes. These findings suggest a systematic effort to compromise a wide range of targets. The deceptions extend beyond space agency references, employing varied themes such as mimicking USAID communications and targeting Bellingcat, an investigative journalism group based in the Netherlands. Additionally, the use of articles from independent Russian media as bait indicates a strategic interest in penetrating groups critical of Russian policies.
Attribution and Implications
Although directly attributing these activities to specific agents is challenging, the circumstantial evidence points toward Russian state-sponsored cyber actors. The nature of the targets and the links to infrastructure previously associated with Sliver beacon operations indicate state-level involvement. These revelations highlight the ongoing threat of cyberattacks designed to quash dissent and silence opposition voices.
The discovery of ‘The Bear and the Shell’ spear-phishing campaign sheds light on the sophisticated strategies employed by cyber adversaries to infiltrate and undermine groups critical of the Russian government. It serves as a reminder of the persistent cybersecurity threats facing organizations worldwide.
