{
	"id": "2662b649-d15f-433d-9bd0-25e6bcc4b61b",
	"created_at": "2026-04-06T00:19:25.12204Z",
	"updated_at": "2026-04-10T13:11:35.741787Z",
	"deleted_at": null,
	"sha1_hash": "1ea495e6c61eb1416682e28c790e903571a6e445",
	"title": "Ukraine says an energy facility disrupted a Fancy Bear intrusion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88009,
	"plain_text": "Ukraine says an energy facility disrupted a Fancy Bear intrusion\r\nBy Daryna Antoniuk\r\nPublished: 2023-09-05 · Archived: 2026-04-05 14:22:59 UTC\r\nAn infamous Russian cyberespionage group was caught attacking a critical energy facility in Ukraine, a\r\ngovernment agency said on Tuesday.\r\nA cybersecurity expert working for the targeted organization thwarted the attack, according to the report from\r\nUkraine’s computer emergency response team (CERT-UA). The agency attributed the incident to Kremlin-controlled hackers known as Fancy Bear or APT28.\r\nCERT-UA said the group targeted an unspecified energy facility in Ukraine, using phishing emails to gain initial\r\naccess to the targeted systems. Fancy Bear is believed to be associated with the Russian military intelligence\r\nagency GRU, and its history includes the attack on the U.S. Democratic National Committee during the 2016\r\nelections.\r\nThe content of the malicious email was unusual. In past attacks, Russian hackers typically faked government\r\ndocuments or, in the case of Fancy Bear, distributed bogus software update advisories.\r\nHowever, this time, the email shared by CERT-UA included three images and the following message: \"Hi! I talked\r\nto three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website.\"\r\nIn addition to these images, the archive also contains a file in BAT format. BAT files are scripts used in Windows\r\nto automate various tasks.\r\nWhen the victim runs this file, it opens a few fake web pages that are meant to look innocent, but it executes a\r\nharmful script on the targeted device.\r\nThe attackers also installed Tor on the victim's computer, researchers said. The software allows anonymous\r\ninternet browsing by routing network traffic through a network of volunteer-operated servers, making it\r\nchallenging to trace the data's source.\r\nIn the recent attack, an employee identified the cyberthreat and took steps to respond, CERT-UA said. They\r\nrestricted access to certain web resources related to the Mockbin service, a tool used for testing and development,\r\nthe report said. Fancy Bear has used Mockbin in the past to target Ukrainian government agencies.\r\nAdditionally, the energy facility blocked the use of Windows Script Host, a system for automating tasks in the\r\nWindows operating system, CERT-UA said.\r\nCERT-UA has not disclosed any information about the hackers' specific target. It has been some time since\r\nUkrainian authorities publicly reported an attack on the country's energy infrastructure. Last fall, Ukraine\r\nexperienced a combination of missile strikes and cyberattacks on its energy infrastructure, as Russia aimed to\r\ndisrupt the country's power supply.\r\nhttps://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email\r\nPage 1 of 3\n\nThe onslaught resulted in the destruction of power plants, major transmission lines, and substations, leading to\r\ndaily blackouts lasting for several hours.\r\nThe attacks stopped with the arrival of warmer weather, but there are concerns that new blackouts may occur this\r\nupcoming fall, as Russia is reportedly preparing its arsenal for such actions. The potential impact on cyberspace\r\nactivity remains to be seen.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email\r\nhttps://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/ukraine-energy-facility-cyberattack-fancy-bear-email"
	],
	"report_names": [
		"ukraine-energy-facility-cyberattack-fancy-bear-email"
	],
	"threat_actors": [
		{
			"id": "730dfa6e-572d-473c-9267-ea1597d1a42b",
			"created_at": "2023-01-06T13:46:38.389985Z",
			"updated_at": "2026-04-10T02:00:02.954105Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"Pawn Storm",
				"ATK5",
				"Fighting Ursa",
				"Blue Athena",
				"TA422",
				"T-APT-12",
				"APT-C-20",
				"UAC-0001",
				"IRON TWILIGHT",
				"SIG40",
				"UAC-0028",
				"Sofacy",
				"BlueDelta",
				"Fancy Bear",
				"GruesomeLarch",
				"Group 74",
				"ITG05",
				"FROZENLAKE",
				"Forest Blizzard",
				"FANCY BEAR",
				"Sednit",
				"SNAKEMACKEREL",
				"Tsar Team",
				"TG-4127",
				"STRONTIUM",
				"Grizzly Steppe",
				"G0007"
			],
			"source_name": "MISPGALAXY:APT28",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3767160-695d-4360-8b2e-d5274db3f7cd",
			"created_at": "2022-10-25T16:47:55.914348Z",
			"updated_at": "2026-04-10T02:00:03.610018Z",
			"deleted_at": null,
			"main_name": "IRON TWILIGHT",
			"aliases": [
				"APT28 ",
				"ATK5 ",
				"Blue Athena ",
				"BlueDelta ",
				"FROZENLAKE ",
				"Fancy Bear ",
				"Fighting Ursa ",
				"Forest Blizzard ",
				"GRAPHITE ",
				"Group 74 ",
				"PawnStorm ",
				"STRONTIUM ",
				"Sednit ",
				"Snakemackerel ",
				"Sofacy ",
				"TA422 ",
				"TG-4127 ",
				"Tsar Team ",
				"UAC-0001 "
			],
			"source_name": "Secureworks:IRON TWILIGHT",
			"tools": [
				"Downdelph",
				"EVILTOSS",
				"SEDUPLOADER",
				"SHARPFRONT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "ae320ed7-9a63-42ed-944b-44ada7313495",
			"created_at": "2022-10-25T15:50:23.671663Z",
			"updated_at": "2026-04-10T02:00:05.283292Z",
			"deleted_at": null,
			"main_name": "APT28",
			"aliases": [
				"APT28",
				"IRON TWILIGHT",
				"SNAKEMACKEREL",
				"Group 74",
				"Sednit",
				"Sofacy",
				"Pawn Storm",
				"Fancy Bear",
				"STRONTIUM",
				"Tsar Team",
				"Threat Group-4127",
				"TG-4127",
				"Forest Blizzard",
				"FROZENLAKE",
				"GruesomeLarch"
			],
			"source_name": "MITRE:APT28",
			"tools": [
				"Wevtutil",
				"certutil",
				"Forfiles",
				"DealersChoice",
				"Mimikatz",
				"ADVSTORESHELL",
				"Komplex",
				"HIDEDRV",
				"JHUHUGIT",
				"Koadic",
				"Winexe",
				"cipher.exe",
				"XTunnel",
				"Drovorub",
				"CORESHELL",
				"OLDBAIT",
				"Downdelph",
				"XAgentOSX",
				"USBStealer",
				"Zebrocy",
				"reGeorg",
				"Fysbis",
				"LoJax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab",
			"created_at": "2022-10-25T16:07:24.212584Z",
			"updated_at": "2026-04-10T02:00:04.900038Z",
			"deleted_at": null,
			"main_name": "Sofacy",
			"aliases": [
				"APT 28",
				"ATK 5",
				"Blue Athena",
				"BlueDelta",
				"FROZENLAKE",
				"Fancy Bear",
				"Fighting Ursa",
				"Forest Blizzard",
				"G0007",
				"Grey-Cloud",
				"Grizzly Steppe",
				"Group 74",
				"GruesomeLarch",
				"ITG05",
				"Iron Twilight",
				"Operation DealersChoice",
				"Operation Dear Joohn",
				"Operation Komplex",
				"Operation Pawn Storm",
				"Operation RoundPress",
				"Operation Russian Doll",
				"Operation Steal-It",
				"Pawn Storm",
				"SIG40",
				"Sednit",
				"Snakemackerel",
				"Sofacy",
				"Strontium",
				"T-APT-12",
				"TA422",
				"TAG-0700",
				"TAG-110",
				"TG-4127",
				"Tsar Team",
				"UAC-0028",
				"UAC-0063"
			],
			"source_name": "ETDA:Sofacy",
			"tools": [
				"ADVSTORESHELL",
				"AZZY",
				"Backdoor.SofacyX",
				"CHERRYSPY",
				"CORESHELL",
				"Carberp",
				"Computrace",
				"DealersChoice",
				"Delphacy",
				"Downdelph",
				"Downrage",
				"Drovorub",
				"EVILTOSS",
				"Foozer",
				"GAMEFISH",
				"GooseEgg",
				"Graphite",
				"HATVIBE",
				"HIDEDRV",
				"Headlace",
				"Impacket",
				"JHUHUGIT",
				"JKEYSKW",
				"Koadic",
				"Komplex",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"LoJack",
				"LoJax",
				"MASEPIE",
				"Mimikatz",
				"NETUI",
				"Nimcy",
				"OCEANMAP",
				"OLDBAIT",
				"PocoDown",
				"PocoDownloader",
				"Popr-d30",
				"ProcDump",
				"PythocyDbg",
				"SMBExec",
				"SOURFACE",
				"SPLM",
				"STEELHOOK",
				"Sasfis",
				"Sedkit",
				"Sednit",
				"Sedreco",
				"Seduploader",
				"Shunnael",
				"SkinnyBoy",
				"Sofacy",
				"SofacyCarberp",
				"SpiderLabs Responder",
				"Trojan.Shunnael",
				"Trojan.Sofacy",
				"USB Stealer",
				"USBStealer",
				"VPNFilter",
				"Win32/USBStealer",
				"WinIDS",
				"Winexe",
				"X-Agent",
				"X-Tunnel",
				"XAPS",
				"XTunnel",
				"Xagent",
				"Zebrocy",
				"Zekapab",
				"carberplike",
				"certutil",
				"certutil.exe",
				"fysbis",
				"webhp"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434765,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ea495e6c61eb1416682e28c790e903571a6e445.pdf",
		"text": "https://archive.orkl.eu/1ea495e6c61eb1416682e28c790e903571a6e445.txt",
		"img": "https://archive.orkl.eu/1ea495e6c61eb1416682e28c790e903571a6e445.jpg"
	}
}