Russian threat actor using Windows bug to go after diplomatic targets, analyst warns

Updated on: 15 November 2023

Damien Black
Senior Journalist

A threat group linked to Russia has been using a vulnerability in an obscure Windows feature to conduct cyber-espionage against diplomatic targets, an infosecurity analyst has learned.

APT29, which also goes by the names Cozy Bear, Iron Hemlock, and The Dukes, has been detected by Google-owned cybersecurity firm Mandiant using the Windows Credential Roaming feature to target diplomatic entities in a manner “consistent with Russian strategic priorities.”

Cozy Bear has previously been spotted going after NATO-aligned Western targets, but has also been known to focus its efforts on Russian-affiliated entities in the Commonwealth of Independent States, as well as countries in the Middle East, Asia, and Africa.

It is believed to have doubled down on its targeting of NATO affiliates this year, most likely in response to escalating cyberwar in the wake of Russia’s invasion of Ukraine.

The leveraged Microsoft feature allows documents and credentials to essentially ‘roam’ with a user. Mandiant explained that this could essentially be used by attackers to remotely access target machines without authorization.

“The use of credential roaming in an organization allows attackers to abuse the saved credentials for the purposes of privilege escalation,” it said.

Although Microsoft issued a patch for the vulnerability in September, organizations using Windows Credential Roaming that have not implemented it would still be vulnerable to a breach in this way. Mandiant urges organizations to take the necessary action to remediate the glitch, identified as CVE-2022-30170.