Russian intelligence has once more employed hacker outfit Nobelium/APT29 as part of its ongoing invasion of Ukraine, this time to spy on foreign ministries and diplomats from NATO-member states as well as additional targets in the European Union and Africa.
The time also coincides with a wave of attacks against Canadian infrastructure that are thought to have a Russian connection.
The possible targets of the espionage campaign were alerted to the threat on April 13 by the Polish Military Counterintelligence Service and the CERT team in Poland, along with indicators of compromise. The organisation known by Microsoft as Nobelium, also known by Mandiant as APT29, is not new to the game of nation-state espionage; it was responsible for the infamous SolarWinds supply chain attack over three years ago.
The Polish military and CERT alert said that APT29 is now back with a completely new set of malware tools and reported marching orders to infiltrate the diplomatic corps of nations that support Ukraine.
APT29 returns with fresh orders
According to the Polish notice, the advanced persistent threat (APT) always starts its attack with a clever spear-phishing email.
"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents."
The recipient would next be instructed to follow a link or download a PDF in order to view the ambassador's calendar or obtain meeting information. Both actions would direct the targets to a malicious website that was loaded with the threat group's "signature script," which the report refers to as "Envyscout".
"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish officials added. "This makes the malicious file more difficult to detect on the server side where it is stored."
The malicious site also informs its victims through a message that they downloaded the right file.
"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, stated. "This espionage campaign meets all of the criteria for success."
For instance, one phishing email claimed to be from the Polish embassy. The Polish authorities also noticed that the Envyscout programme had been modified three times using better obfuscation techniques during the period of the observed campaign.
The organisation, once infiltrated, employs modified versions of the Snowyamber downloader, Halfrig, which has Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, according to the Polish alert.
In light of this and other Russian espionage activities, governments, diplomats, international organisations, and non-governmental organisations (NGOs) should be on high alert.
Along with warnings from Polish cybersecurity authorities, Canadian Prime Minister Justin Trudeau has recently spoken out publicly about a recent wave of cyberattacks linked to Russia that targeted Canadian infrastructure. These attacks included denial-of-service assaults on the websites of Hydro-Québec, an electric utility, his office, the Port of Québec, and Laurentian Bank. According to Trudeau, Canada's backing for Ukraine is a factor in the cyberattacks.
Although there was no harm to Canada's infrastructure, Sami Khoury, the director of the Canadian Centre for Cyber Security, emphasised during a news conference last week that "the threat is real.""You must protect your systems," said Khoury, "if you run the critical systems that power our communities, provide Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't live without." "Watch your network traffic. Implement mitigations."