The Polish military, along with its CERT.PL recently discovered that a Russian state-sponsored group of hackers, dubbed APT29 (aka Cozy Bear and Nobelium), is actively targeting the NATO and European Union countries and in Africa, but to a lesser extent.
The cyberespionage group’s campaign focused on obtaining sensitive information from foreign ministries and diplomatic entities through data harvesting techniques.
Poland’s Military Counterintelligence Service and CERT.PL has advised all potential targets to enhance the security of their IT systems and improve attack detection mechanisms to safeguard against the actor’s interests.
Technical Analysis
By creating fake emails pretending to be embassies from European countries, the attackers have targeted diplomatic personnel using spear-phishing tactics to direct victims to malicious websites.
According to the BlackBerry report, They also employed the emails’ ISO, IMG, and ZIP files as attachments, intending to deploy malware onto the target’s computer systems.
The EnvyScout dropper, facilitated by HTML smuggling on APT29-controlled websites, infected victims, leading to the deployment of malware downloaders like:-
SNOWYAMBER
QUARTERRIG
Additionally, the attackers used CobaltStrike Beacon stager called HALFRIG to distribute more malware.
To determine target relevance and evade honeypots or virtual machines used for malware analysis, attackers employed SNOWYAMBER and QUARTERRIG for reconnaissance purposes.
After a manual verification process of the infected workstation, the downloaders SNOWYAMBER and QUARTERRIG were used to deploy commercial tools like:-
COBALT STRIKE
BRUTE RATEL
HALFRIG operates as a loader containing the COBALT STRIKE payload and launches it automatically, unlike other downloaders.
APT29 has continued to breach the networks of various organizations since the SolarWinds attack using stealthy malware such as the TrailBlazer and a variant of the GoldMax Linux backdoor, which remained undetected for years.
The Brute Ratel adversarial attack simulation tool has been identified by Unit 42 as being utilized in suspected cyberattacks that are linked to Russian SVR cyber spies.
Microsoft has reported that APT29 hackers have been using new malware that can exploit Active Directory Federation Services (ADFS) to gain access to Windows systems and log in as anyone.
In their pursuit of sensitive foreign policy information, the APT29 group has targeted Microsoft 365 accounts in NATO countries and conducted multiple phishing campaigns aimed at:-
European governments
European Embassies
High-ranking officials
Recommendations
Here below, we have mentioned all the recommendations offered by the cybersecurity analysts:-
Disable the ability to mount disk images on the file system so they cannot be mounted.
It is necessary to monitor the mounting of disk image files by users who are designated as administrators.
Make sure to enable and properly configure the Attack Surface Reduction Rules10.
You should configure the Software Restriction Policy to prevent executable files from starting from unexpected locations.