Russian hackers APT28 unleash malware campaign on Polish gov


Poland’s national cybersecurity agency said on Wednesday that the Kremlin-backed hacker group APT 28 was found targeting Polish government institutions earlier this week – the latest in a series of Russian cyberattacks aimed at NATO-allied nations supporting Ukraine.

CERT Polska said the hackers had launched a large-scale email phishing campaign using tactics, techniques, and procedures (TTPs) similar to past attacks carried out by the Russian nation-state threat actors APT28.

Also referred to as Unit 26165, Forrest Blizzard, Fancy Bear, or Sandworm Team, the Advanced Persistent Threat (APT) group is one of two cyber operations units known to be working under Putin’s GRU – Russia’s Main Intelligence Directorate of the General Staff of the Armed Forces.

ADVERTISEMENT

"Malware targeting Polish government institutions was distributed this week by the APT28 group, associated with Russia's intelligence services. Hostile activity was recorded and described by teams @CERT_Polska and @CSIRT_MON," the cybersecurity agency said in a statement posted on X and translated into English.

Poland’s Digital Affairs Minister Krzysztof Gawkowski said that Warsaw was constantly identifying cyberattacks from Russia on targets including the nation’s water supply and health services, according to a recent interview with Ukrainian news outlet Economic Truth reported by Polish state news agency PAP.

Lured by images of women

According to CERT teams, the hackers would send out phishing emails to state institutions designed to “arouse the recipient's interest and persuade him to click on the link.”

CERT Polska noted the cyberespionage campaign’s “entire attack flow” – from first email lure to final payload – was identical to that of “Headlace malware,” a custom backdoor delivery system already in use by APT28.

In fact, APT28 used the Headlace malware to target Poland and a dozen other nations this past December.

The entire operation starts with the use of redirect links to popular web addresses already known in the IT industry, and eventually tricks the user into clicking on what appears to be a Zip file of photos.

ADVERTISEMENT

Eventually, a malicious executable disguised as a legitimate application is downloaded by the user, a technique known as DLL Side-Loading.

Once launched, a Microsoft Edge browser opens and “displays photos of an actual woman in a swimsuit along with links to her real accounts on social media platforms,” which acts as a ruse intending “to make the attackers' narrative credible and to lull the recipient's vigilance.”

Russian APT28 targets Poland
APT28 targets Poland in the latest cyberespionage campaign. Diagram of email phishing attack flow. Image by CERT Polska.

Finally, several downloaded scripts later, a file extension changed to .cmd, and then a file launch the user's computer becomes infected with the malware, allowing the attacker access, and a direct connection to the threat group's Command and Control server (C2).

Russia known for hybrid attacks

The CERT team said it released the report “to disrupt hostile activities and enable the detection and analysis of the described activities,” so network administrators can determine if employees have been subject to any attacks.

Last week, NATO acknowledged that governmental entities and critical infrastructure in Germany and Czechia, as well as Poland, Lithuania, Slovakia, and Sweden, were also subject to attacks by the Russian cyber espionage group.

In January, APT28 was discovered by Ukraine’s Cybersecurity Coordination Center (NCSCC), trying to gain access to the email accounts belonging to members of Ukraine’s Defense Forces, also by using email phishing attacks.

“These incidents are part of an intensifying campaign of activities which Russia continues to carry out across the Euro-Atlantic area, including on Alliance territory and through proxies,” NATO said in a statement about the attacks on May 2nd.

‘This includes sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations…We support and stand in solidarity with the affected Allies,” The North Atlantic Treaty Organization stated.

ADVERTISEMENT

Russia has denied past allegations by Western governments of carrying out cyberattacks.