IBM X-Force has identified an ongoing phishing campaign conducted by ITG05, a Russia state-sponsored group also known as “Fancy Bear,” which involves the use of documents designed to impersonate government and non-governmental organizations in Ukraine, Georgia, Kazakhstan, Belarus, Argentina, and the United States. The identified documents have been comprised of both internal and publicly available documents relating to a variety of topics including finance, critical infrastructure, cyber security, healthcare, business, and executive engagements.

The latest phishing attacks appear to be part of a continuous effort by Fancy Bear to deceive victims in, or with a connection to, Ukraine into downloading malicious software leveraging the “search-ms” protocol and WebDAV servers. Similar to Fancy Bear’s previous activities, the end goal of this scheme is to enable the group to steal files, execute arbitrary commands, and pilfer sensitive data from web browsers. It is likely that Fancy Bear will continue to leverage commercially available infrastructure and deploy new infection methodologies to achieve its goals.

Companies with business or operations in Ukraine, or who are otherwise likely to be on the radar of the Russian government, may want to consider issuing a phishing reminder specifically noting the potential for threat actors to provide what look like official governmental documents.