Russian cyberspies Cozy Bear target German politicians


Moscow-sponsored cybercriminals Cozy Bear attacked top German politicians and parties with a new malware variant, according to research by Mandiant.

A new campaign carried out by Cozy Bear, also known as APT29, Midnight Blizzard, Nobelium, or The Dukes, was identified in late February 2024.

Phishing emails bearing a logo from the Christian Democratic Union (CDU), a major political party in Germany, invited people to a dinner reception on March 1st. The lure document contained a phishing link to threat actor-controlled compromised website waterforvoiceless[.]org/invite.php. It hosted a malicious ZIP file containing a dropper.

ADVERTISEMENT

In the second stage, the malware delivered the so-called Wineloader payload. This is a new backdoor variant containing several functions. After sneaking into the computer, it decrypts hidden malicious parts containing settings and instructions for the malware.

Wineloader then communicates with a control server using HTTP Get requests. The malware sends information about the infected computer so hackers can decide if it’s a good target and launch additional code.

“Notably, this activity represents a departure from this APT29 initial access cluster’s typical remit of targeting governments, foreign embassies, and other diplomatic missions, and is the first time Mandiant has seen an operational interest in political parties from this APT29 subcluster,” researchers said in a blog post.

While Cozy Bear has previously used lure documents bearing the logo of German government organizations, this is the first instance where they have seen the group use German-language lure content. The Russian Federation-backed threat group has been previously linked by multiple governments to Russia’s Foreign Intelligence Service.

For the initial stage, Cozy Bear continues to use its Rootsaw malware, which is a central component of their activity. Malware delivery operations are highly adaptive and continue to evolve to advance Moscow’s geopolitical interests.

It’s unlikely that Cozy Bear's new arsenal is limited to Germany.

“Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future Russia’s Foreign Intelligence Service-linked cyber espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues,” Mandiant, which is part of Google since 2022, warns.

The cybercriminal gang Cozy Bear is also believed to be behind the SolarWinds hack and used vulnerabilities in Microsoft products to go after US and NATO-affiliated organizations.

ADVERTISEMENT