Poland’s Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government’s Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries.
As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.
“At the time of publication of the report, the campaign is still ongoing and in development,” an advisory published today warns.
“The Military Counterintelligence Service and CERT.PL recommend all entities which may be in the area of interest of the actor to implement mechanisms aimed at improving the security of IT Security systems in use and increasing the detection of attacks.”
The attackers have targeted diplomatic personnel using spear phishing emails impersonating European countries’ embassies with links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.
Websites controlled by APT29 infected victims with the EnvyScout dropper via HTML smuggling, which helped deploy downloaders known as SNOWYAMBER and QUARTERRIG and designed to deliver additional malware, as well as a CobaltStrike Beacon stager named HALFRIG.
SNOWYAMBER and QUARTERRIG were used for reconnaissance to help the attackers evaluate each target’s relevance and determine whether they compromised honeypots or VMs used for malware analysis.
“If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL,” a separate malware analysis report released today reads.
“HALFRIG, on the other hand, works as a so-called loader – it contains the COBALT STRIKE payload and runs it automatically.”
APT29 is the Russian Foreign Intelligence Service (SVR) hacking division which was also linked to the SolarWinds supply-chain attack that led to the compromise of multiple U.S. federal agencies three years ago.
Since then, the hacking group has breached other organizations’ networks using stealthy malware that remained undetected for years, including a new malware tracked as TrailBlazer and a variant of the GoldMax Linux backdoor.
Unit 42 has also observed the Brute Ratel adversarial attack simulation tool being used in attacks suspected to be linked to the Russian SVR cyber spies.
More recently, Microsoft reported that the APT29 hackers are using new malware capable of hijacking Active Directory Federation Services (ADFS) to log in as anyone in Windows systems.
They’ve also targeted Microsoft 365 accounts in NATO countries in attempts to access foreign policy information and orchestrated a wave of phishing campaigns targeting governments, embassies, and high-ranking officials across Europe.
Source: www.bleepingcomputer.com