Evolution of Tactics by Russia-linked APT29
The Russia-linked APT29 hacking group, also known as Cozy Bear, is continuing its espionage campaign targeting foreign ministries and diplomatic entities in NATO member states and Africa. This ongoing campaign represents an evolution of tactics used by the Russian hacking group. The APT29 hacking group is persistently working to improve its cyber weaponry for intelligence gathering.
Spearphishing Emails As a Mode of Attack
The spearphishing emails are sent to targeted diplomats impersonating European embassies. These emails are designed to entice the targeted diplomats into opening a malware-laced attachment under the guise of an invitation or a meeting. The PDF attachment contains a booby-trapped URL that leads to the deployment of an HTML dropper called EnvyScout (aka ROOTSAW).
Malware Strains Used by APT29 Group
After using EnvyScout as a conduit, three previously unknown strains of malware are delivered, namely SNOWYAMBER, HALFRIG, and QUARTERRIG. SNOWYAMBER leverages the Notion notetaking service for command-and-control (C2) and downloading additional payloads like Brute Ratel. QUARTERRIG functions as a downloader capable of retrieving an executable from an actor-controlled server.
HALFRIG acts as a loader to launch the Cobalt Strike post-exploitation toolkit contained within it, once again proving the APT29 group’s extremely high level of technical sophistication.
Attribution to APT29/Nobelium
This cyber-espionage campaign has been attributed to the state-sponsored hacking group APT29, which shares tactical overlaps with a cluster tracked by Microsoft as Nobelium. Nobelium was responsible for the infamous high-profile attack on SolarWinds in 2020. This recent attack has been observed across NATO member states, the European Union, and Africa.
Warnings from Cybersecurity Authorities
Poland’s Military Counterintelligence Service and the CERT Polska team have reported on the ongoing campaign. They issued an alert with indicators of compromise warning potential targets of the espionage campaign about the threat and recommended configuration changes to disrupt the delivery mechanism that was used in the described campaign.
Canada’s Prime Minister Justin Trudeau also made public statements about a recent spate of Russian-linked cyberattacks aimed at Canadian infrastructure, including denial-of-service attacks on Hydro-Québec, electric utility, the website for Trudeau’s office, the Port of Québec, and Laurentian Bank. Canada’s Centre for Cyber Security boss warned that “the threat is real.”
APT29 Continues its efforts amid Conflit in Ukraine
Russian cybercrime efforts have continued amid the ongoing conflict in Ukraine. The APT29 group’s primary goal is to gather intelligence from foreign governments and diplomatic bodies. This recent cyber-espionage campaign again underscores Russia’s continued efforts to target countries in NATO and other Western-related entities.
The Russian Intelligence services continue to employ multiple clandestine means to gain advantages over political rivals and foreign intelligence agencies. These actions remain a challenge for cybersecurity experts globally.
In summary, the APT29 group remains a clear threat to global cybersecurity with its sophisticated hacking methods employed against high-value targets globally. The recent spate of attacks is concerning as it highlights their persistent attempts to improve their tactics continually. Governments worldwide must recognize this threat and take measures to protect themselves from it.
Image Source: Wikimedia Commons
