For months, the Slovak government has been targeted by a cyber-espionage group associated with a Russian intelligence agency, Slovak security companies ESET and IstroSec stated this week. The Slovak internet security firm ESET develops anti-virus and firewall products. With headquarters in Bratislava, Slovakia, ESET earned the award for the most successful Slovakian company in 2008, 2009, and 2010.
Additional revelations targetting the Slovak Government including the Cobalt Strike Infrastructure operation employed by the attackers were provided by the companies. Dukes, Nobelium, and APT29 are the organizations that are held responsible for the attacks. These are affiliated with the Russian Foreign Intelligence Service (SVR). Their activities date back to 2008, typically targeting government networks in NATO and European countries, research institutes, and think tanks.
The SVR hackers are believed to have spear-phished senior government officials using publicly available information, community threat intelligence sources (VirusTotal), and their investigations. The security firms IstroSec and ESET claimed that the SVR targeted the Slovak officials through spear-phishing campaigns.
Researchers at the Def Con conference reported that SVR operators sent spear-phishing attacks to Slovak diplomats in the form of emails posing as the National Security Authority (NBU) of Slovak to infect their systems. The ISO/IMG attachment in the email looked like a Word document.
IstroSec researchers have described how the SVR command-and-control servers used during these assaults have been uncovered. The ISOC report stresses certain C&C servers used by SVR also had papers directed against the government representatives in the Czech Republic.
Furthermore, European diplomats in 13 countries have been targeted by the group, as stated by the security firm ESET. All the cyberattacks in these events employed the same strategy, according to ESET: email -> ISO disk image -> LNK shortcut file -> Cobalt Strike backdoor. Volexity and Microsoft have previously described this tactic in their respective reports.
Cobalt Strike is an Adversary Simulations and Red Team Operations Software. It has been used by numerous Pen-testers and red staff and sophisticated actors like APT19, APT29, APT32, Leviathan, The Cobalt Group, and FIN6, and it costs $3,500 per year per user for a commercial tool.
As part of its malware attack on iOS devices, the Russian cyber espionage group employed a huge variety of tactics against them. One such attack has exploited a zero-day Safari iOS flaw to steal information and data of diplomats that read their emails on their iPhones.
Local authorities, for instance, the computer security incident response committee, were notified of the incidents and outcomes. The study includes the collected compromise signs such as hashes and IP addresses.