Security Experts:

Connect with us

Hi, what are you looking for?



Russian ‘Fancy Bear’ Hackers Abuse Blogspot for Phishing

The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.

The cyber espionage group known as Fancy Bear, which is widely believed to be backed by the Russian government, has been abusing Google’s Blogspot service in recent phishing attacks.

Threat intelligence firm ThreatConnect spotted the use of the blogging service while analyzing attacks aimed at Bellingcat, a group of investigative journalists that uses open source information to report on various events taking place around the world.

Fancy Bear, also known as Pawn Storm, APT28, Sofacy, Sednit, Strontium and Tsar Team, was first seen targeting Bellingcat in 2015 as part of a campaign aimed at entities investigating Russia’s involvement in the downing of Malaysia Airlines flight MH17 in July 2014 as it was crossing a conflict zone in Ukraine.

The latest attacks aimed at Bellingcat involved fake emails instructing users to change their Gmail passwords as a result of unauthorized activity on their account, and Dropbox invitations to view shared folders.

The buttons included in these emails pointed to a randomly generated Blogspot subdomain set up to redirect visitors to a phishing page. The phishing sites used HTTPS and they were hosted on subdomains that may have tricked many individuals into thinking they were legitimate. Experts believe the attackers likely used Blogspot in an effort to get past spam filters.

“A URL hosted on Google’s own systems, in this case Blogspot, may be more likely to get past spam filters than URLs hosted on a third party IP address or hostname,” ThreatConnect researchers said in a blog post.

Fancy Bear is believed to be behind many high profile attacks, including a campaign that may have attempted to interfere in last year’s presidential election in the United States.

Researchers at SecureWorks reported last year that they had identified thousands of Gmail accounts targeted by the hackers. The security firm recently provided the entire list of accounts to The Associated Press, whose reporters have analyzed them in an effort to find who they belong to.

They identified the email addresses of entities in 116 countries, including former U.S. Secretaries of State John Kerry and Colin Powell, NATO Supreme Commanders Air Force Gen. Philip Breedlove and Army Gen. Wesley Clark, defense contractors such as Raytheon and Lockheed Martin, U.S. politicians and intelligence officials, Ukrainian officials and the pope’s representative in Kiev, and Russian opponents of the Kremlin.

Related: Russian Cyberspies Target Hotels in Europe

Related: Russian Hackers Exploit Recently Patched Flash Vulnerability

Related: Russian Hackers Target Montenegro as Country Joins NATO

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...