Bluedelta

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Bluedelta is a threat actor associated with the Russian state-sponsored hacking operation APT28 or Fancy Bear. In a recent spear-phishing campaign that began in November 2021, several government entities and a military aviation organization in Ukraine had their email servers targeted by Bluedelta. This was revealed by cybersecurity firm Recorded Future through their news site, The Record. The Insikt Group assessed that Bluedelta's activity is likely intended to enable military intelligence-gathering to support Russia's invasion of Ukraine. They anticipate that Bluedelta will prioritize targeting Ukrainian government and private sector organizations to support wider Russian military efforts. Notably, Bluedelta has demonstrated a long-standing interest in gathering intelligence on entities in Ukraine and across Europe, primarily among government and military/defense organizations. The Bluedelta campaign used spearphishing techniques, sending emails with attachments exploiting vulnerabilities in Roundcube, a web-based email client, to run reconnaissance and exfiltration scripts. This resulted in redirecting incoming emails and gathering session cookies, user information, and address books. Specifically, the BlueDelta Outlook and Roundcube spearphishing infection chain overlap.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Outlook
Ukraine
State Sponso...
Phishing
Reconnaissance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Fancy BearUnspecified
1
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2020-12641Unspecified
1
CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne
CVE-2021-44026Unspecified
1
None
CVE-2020-35730Unspecified
1
CVE-2020-35730 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, first discovered three years ago. The flaw has been actively exploited by threat actors in various campaigns. In the BlueDelta and APT28 campaigns, spear-phishing techniques were employed, with email attachments desig
Source Document References
Information about the Bluedelta Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
Ukrainian email servers subjected to Russian APT cyberespionage operation
Recorded Future
a year ago
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future