Russian threat actor behind SolarWinds hack targets diplomatic entities in EU

A new campaign by the Russian cybercriminal gang Nobelium has been spotted targeting state institutions in the EU that are giving aid to Ukraine. Some lures involve masquerading as the European Commission and Poland’s Ministry of Foreign Affairs.

Nobelium, a cybercriminal gang with links to the Russian government – and also known as APT29 or Cozy Bear – is involved in a new phishing campaign targeting governmental agencies in the European Union, according to research by BlackBerry.

“The infection vector for this particular campaign is a targeted phishing email containing a weaponized document. The malicious document includes a link leading to the download of an HTML file,” BlackBerry said.

It added that weaponized URLs are hosted on a legitimate online library website based in El Salvador, which the threat actor is believed to have compromised between the end of January and the beginning of February.

The campaign was first observed in March. It specifically targets European state institutions and systems transmitting sensitive information about aid to Ukrainian refugees and the war-torn country’s government.

Threat actors were observed abusing legitimate electronic systems used by the EU for information exchange and secure data transfer, BlackBerry said, including platforms called LegisWrite and e-TrustEx.

“Using a compromised legitimate server to host the packed malware payload increases the chances of a successful installation on the victims’ machines,” researchers noted.

The visual lures used in the campaign entailed fake versions of the websites of the European Commission, the EU’s executive branch, and the Foreign Affairs Ministry of Poland.

Visual lure masquerading as European Commission. Image by BlackBerry

One of the bogus messages appealed to those interested in the Polish ambassador’s schedule for 2023, following his visit to the Columbus School of Law at the Catholic University of America in February, where he discussed the war in Ukraine.

The overlap between the ambassador’s visit and the online ruse “provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection,” BlackBerry said.

“Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukrainian war,” it noted.

Visual lure masquerading as Polish Foreign Affairs Ministry. Image by BlackBerry

In addition to APT29 and Cozy Bear, the threat group has also gone under other aliases, including the Dukes, StellarParticle, UNC2452, and Dark Halo.

It has historically targeted both governmental and non-governmental organizations, think tanks, and the military, as well as various service providers. It made international headlines as the group behind the SolarWinds hack that wreaked havoc on US government installations in 2020.

“Although its phishing campaigns aren’t very sophisticated, APT29 is notorious for its agility once it is inside a target’s network,” BlackBerry warned.

More from Cybernews:

Microsoft patches zero-day bug – with a little help from Google

Cyber crooks jump on SVB collapse to loot client money and data

Web hosting provider fined $300k in data safety case

Alphabet reveals new ChatGPT rival 'Claude'

Reddit down for thousands of users

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked