Russian espionage campaign targets NATO and EU diplomats

Last updated: 14 April 2023
Unknown Russian hacker
Image by Shutterstock

Multiple Russian linked cyber espionage campaigns have been found operating in the wild this week – including one targeting NATO and EU diplomats.

Luring victims with sophisticated phishing emails and fake domains, the bad actors are proving resilient by repurposing tools used in other successful high profile attacks.

Cybernews has the details on two separate campaigns, both linked to the Kremlin, and both possibly operating undetected for several years.

ADVERTISEMENT

Phishing campaign targets diplomats

The first discovery, reported Friday by the Polish government, is an ongoing cyber espionage campaign security officials say is linked to Russian intelligence services.

According to observations made by Polish Military Counterintelligence Services and CERT Polska, the widespread espionage campaign is aimed at collecting information from foreign ministries and diplomatic entities.

“Most of the identified targets of the campaign are located in NATO member states, the European Union and, to a lesser extent, in Africa,” the Polish advisory states.

Russian cyber espionage campaign sample email
Sample email impersonating Polish embassy, gov.pl

The bad actor responsible for the attacks is believed to be linked to high-profile breaches such as the SolarWinds supply chain attack, even using the same malware variant that infiltrated the SolarWinds Orion network, known as Sunburst.

Many of the elements observed in the latest campaign – such as the infrastructure, techniques implemented, and tools used – overlap with the notorious Russian state-sponsored hacker group known as APT29.

APT29, also known in the cyber world as CozyBear, Nobelium, Dark Halo or UNC2452, is the group said to be responsible for the massive SolarWinds attack in 2020.

ADVERTISEMENT

The attack, which infected more than 100 companies worldwide using the SolarWinds third-party software services, included all US military branches, the Pentagon, dozens of other US federal agencies, as well as multiple Fortune 500 companies, such as Microsoft, Intel, and VMware.

Other hacking tools used in this recently observed campaign include the malware dropper EnvyScout and malware downloader Boombox, both used by Nobelium, since 2021, according to the Microsoft Threat Intelligence Center.

Research by Microsoft shows Nobelium has been seen “in the wild as early as February 2021, attempting to gain a foothold on a variety of sensitive diplomatic and government entities.”

Considered ongoing and evolving, it's not clear if the latest observations are just a continuum of the original campaign noted by Microsoft.

For example, in 2021, the threat actors used a mass email marketing service to target victims with phishing emails.

In the current campaigns, spear phishing emails have been the weapon of choice.

In spear phishing, emails are specifically fashioned to trick a chosen individual into thinking they are being contacted by a legitimate organization they normally would interact with.

According to the latest advisory, emails impersonating embassies of European countries were sent to certain personnel at diplomatic posts.

“The email would contain an invitation to a meeting or to work together on documents,” the advisory states.

“In the body of the message or in an attached PDF document, a link was included purportedly directing to the ambassador's calendar, meeting details, or a downloadable file,” the advisory warns.

ADVERTISEMENT
Russian cyber espionage campaign sample email 2
Sample email suggesting a downloadable calendar, gov.pl

The email would urge the addressee to click on a malicious link, leading them to a fake website that when opened would automatically download the EnvyScout malware.

"Campaigns observed in the past linked to "Nobelium" and "APT29" used .ZIP or .ISO files to deliver the malware," the advisory states.

Now the hackers have added .IMG files to the arsenal. All of the files types are set to download and open automatically without warning.

Officials also said the hackers created three separate and new versions of the EnvyScout malware, making it easier to evade detection.

Polish intelligence believes the group is continuously deploying different versions of the hacking tools to test their effectiveness and retire the ones that do not succeed in order to maintain a “high operational tempo.”

Hacking tools not previously reported publicly, but are being used in the campaign include “A modified version of the SnowyAmber tool, the Halfrig tool, and the Quarterrig tool.," they said.

Government entities, international organizations, and diplomatic entities, including foreign ministries, embassies, diplomatic staff, and those working for international entities, have all been targeted in the attacks.

Russian Command and Control

In another Russian-linked hacking find late this week, research by the Infoblox Threat Intelligence Group reported a critical security threat said to involve communications with a Russian Command & Control server (C2).

ADVERTISEMENT

The Russian C2 has been selectively targeting many organizations worldwide - and up until this point has been going undetected since at least April 2022, the research found.

“Early intel suggests a single threat actor leveraging common DNS behavior,” the report states.

Likely, the threat actor is using a method known as DNS spoofing.

This is when a hacker attacks a DNS server and replaces the DNS data for a particular website.

When the victim inputs the web address for that particular website, they will automatically be redirected to the C2 server instead, instead of the websites correct IP address.

Once redirected to the illegitimate server, the hacker will deploy remote malware, which will move stealthily through the victim's network, gathering intel, changing privileges, or even stealing sensitive data and sending it back to the C2.

The threat actors can also move laterally into other insecure systems either still in the victims network or to other third party networks.

The research found at least half a dozen malicious domain names that are presently in communication with the Russian C2.

According to the head of Infoblox Threat Intelligence Group, Renée Burton, the Russian C2 is using a modified version of the open source Pupy RAT or Remote Trojan Malware.

ADVERTISEMENT

This could easily allow the attacker to execute the malware remotely and control compromised devices, said Burton.

“We are certain it is not consumer devices that are compromised. It’s evolved and new domains are being set up,” Burton said.

Pupy RAT has been used by state actors for advanced persistent threats (APT) in the past.

The group said that threat actors often register domains well in advance of using them for attacks.

This is typically anywhere from 14 to 120 days in advance, but in this case, the domains are believed to have been dormant for upwards of two years before the Russian hackers started using them to communicate with the victim's servers, said Infoblox.

The resaerch group believes the threat has a limited scope of network systems and not generated from laptops or mobile devices.

It appears the Infoblox has not yet named the malware strain used in the attacks, but said they will be publishing more details about the find in the coming weeks.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
What kind of toys will Mattel make with OpenAI – and should we be worried?
Iranians refuse to be kept in the dark amid government internet restrictions
Adobe launches Firefly app to bring AI image and video tools onto phones
Noyb takes German privacy regulators to court over delays in 'Pay or Okay' ad consent cases
Crypto exploiter snatched $133K after creating $25M worth of tokens
It’s all of them: Amazon CEO Jassy also tells employees AI will shrink workforce
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked