Russia-Linked Hackers Launches Espionage Assaults on International Diplomatic Entities

Apr 14, 2023Ravie LakshmananUnited States

The Russia-linked APT29 (aka Cozy Bear) risk actor has been attributed to an ongoing cyber espionage marketing campaign focusing on overseas ministries and diplomatic entities situated in NATO member states, the European Union, and Africa.

In keeping with Poland’s Navy Counterintelligence Service and the CERT Polska workforce, the noticed exercise shares tactical overlaps with a cluster tracked by Microsoft as Nobelium, which is understood for its high-profile assault on SolarWinds in 2020.

Nobelium’s operations have been attributed to Russia’s International Intelligence Service (SVR), a corporation that is tasked with defending “people, society, and the state from overseas threats.”

That mentioned, the marketing campaign represents an evolution of the Kremlin-backed hacking group’s techniques, indicating persistent makes an attempt at bettering its cyber weaponry to infiltrate sufferer methods for intelligence gathering.

“New instruments had been used on the identical time and independently of one another, or changing these whose effectiveness had declined, permitting the actor to keep up a steady, excessive operational tempo,” the businesses said.

The assaults begin with spear-phishing emails impersonating European embassies that goal to entice focused diplomats into opening malware-laced attachments underneath the guise of an invite or a gathering.

Embedded inside the PDF attachment is a booby-trapped URL that results in the deployment of an HTML dropper referred to as EnvyScout (aka ROOTSAW), which is then used as a conduit to ship three beforehand unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.

SNOWYAMBER, additionally known as GraphicalNeutrino by Recorded Future, leverages the Notion note-taking service for command-and-control (C2) and downloading further payloads similar to Brute Ratel.

QUARTERRIG additionally features as a downloader able to retrieving an executable from an actor-controlled server. HALFRIG, however, acts as a loader to launch the Cobalt Strike post-exploitation toolkit contained inside it.

It is value noting that the disclosure dovetails with latest findings from BlackBerry, which detailed a Nobelium marketing campaign focusing on European Union nations, with a particular emphasis on businesses which are “aiding Ukrainian residents fleeing the nation, and offering assist to the federal government of Ukraine.”