Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities

Uncategorized Cyber-Wall.com todayApril 14, 2023 15 1

Background
share close

The Russia-linked APT29 (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa.

According to Poland’s Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as Nobelium, which is known for its high-profile attack on SolarWinds in 2020.

Nobelium’s operations have been attributed to Russia’s Foreign Intelligence Service (SVR), an organization that’s tasked with protecting “individuals, society, and the state from foreign threats.”

That said, the campaign represents an evolution of the Kremlin-backed hacking group’s tactics, indicating persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering.

“New tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain a continuous, high operational tempo,” the agencies said.

The attacks commence with spear-phishing emails impersonating European embassies that aim to entice targeted diplomats into opening malware-laced attachments under the guise of an invitation or a meeting.

Embedded within the PDF attachment is a booby-trapped URL that leads to the deployment of an HTML dropper called EnvyScout (aka ROOTSAW), which is then used as a conduit to deliver three previously unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.

Written by: Cyber-Wall.com

Rate it
Previous post

Post comments (1)

Leave a reply

Your email address will not be published. Required fields are marked *