The Russia-linked APT29 (aka Cozy Bear) menace actor has been attributed to an ongoing cyber espionage marketing campaign concentrating on overseas ministries and diplomatic entities positioned in NATO member states, the European Union, and Africa.
In response to Poland’s Army Counterintelligence Service and the CERT Polska workforce, the noticed exercise shares tactical overlaps with a cluster tracked by Microsoft as Nobelium, which is thought for its high-profile attack on SolarWinds in 2020.
Nobelium’s operations have been attributed to Russia’s Overseas Intelligence Service (SVR), a company that is tasked with defending “people, society, and the state from overseas threats.”
That stated, the marketing campaign represents an evolution of the Kremlin-backed hacking group’s ways, indicating persistent attempts at enhancing its cyber weaponry to infiltrate sufferer programs for intelligence gathering.
“New instruments have been used on the similar time and independently of one another, or changing these whose effectiveness had declined, permitting the actor to take care of a steady, excessive operational tempo,” the businesses said.
The assaults start with spear-phishing emails impersonating European embassies that purpose to entice focused diplomats into opening malware-laced attachments beneath the guise of an invite or a gathering.
Embedded throughout the PDF attachment is a booby-trapped URL that results in the deployment of an HTML dropper referred to as EnvyScout (aka ROOTSAW), which is then used as a conduit to ship three beforehand unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.
SNOWYAMBER, additionally known as GraphicalNeutrino by Recorded Future, leverages the Notion note-taking service for command-and-control (C2) and downloading extra payloads reminiscent of Brute Ratel.
QUARTERRIG additionally capabilities as a downloader able to retrieving an executable from an actor-controlled server. HALFRIG, however, acts as a loader to launch the Cobalt Strike post-exploitation toolkit contained inside it.
It is price noting that the disclosure dovetails with recent findings from BlackBerry, which detailed a Nobelium marketing campaign concentrating on European Union international locations, with a particular emphasis on businesses which might be “aiding Ukrainian residents fleeing the nation, and offering assist to the federal government of Ukraine.”