Russian hackers linked to widespread attacks targeting NATO and EU

Russian bear

Poland’s Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government’s Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries.

As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.

“At the time of publication of the report, the campaign is still ongoing and in development,” an advisory published today warns.

“The Military Counterintelligence Service and CERT.PL recommend all entities which may be in the area of interest of the actor to implement mechanisms aimed at improving the security of IT Security systems in use and increasing the detection of attacks.”

The attackers have targeted diplomatic personnel using spear phishing emails impersonating European countries’ embassies with links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.

Websites controlled by APT29 infected victims with the EnvyScout dropper via HTML smuggling, which helped deploy downloaders known as SNOWYAMBER and QUARTERRIG and designed to deliver additional malware, as well as a CobaltStrike Beacon stager named HALFRIG.

SNOWYAMBER and QUARTERRIG were used for reconnaissance to help the attackers evaluate each target’s relevance and determine whether they compromised honeypots or VMs used for malware analysis.

“If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL,” a separate malware analysis report released today reads.

“HALFRIG, on the other hand, works as a so-called loader – it contains the COBALT STRIKE payload and runs it automatically.”

APT29 attack flow
Attack flow (CERT Polska)

APT29 is the Russian Foreign Intelligence Service (SVR) hacking division which was also linked to the SolarWinds supply-chain attack that led to the compromise of multiple U.S. federal agencies three years ago.

Since then, the hacking group has breached other organizations’ networks using stealthy malware that remained undetected for years, including a new malware tracked as TrailBlazer and a variant of the GoldMax Linux backdoor.

Unit 42 has also observed the Brute Ratel adversarial attack simulation tool being used in attacks suspected to be linked to the Russian SVR cyber spies.

More recently, Microsoft reported that the APT29 hackers are using new malware capable of hijacking Active Directory Federation Services (ADFS) to log in as anyone in Windows systems.

They’ve also targeted Microsoft 365 accounts in NATO countries in attempts to access foreign policy information and orchestrated a wave of phishing campaigns targeting governments, embassies, and high-ranking officials across Europe.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn