Russian hackers linked to widespread attacks targeting NATO and EU

Poland’s Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government’s Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries.

As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.

“At the time of publication of the report, the campaign is still ongoing and in development,” an advisory published today .

“The Military Counterintelligence Service and CERT.PL recommend all entities which may be in the area of interest of the actor to implement mechanisms aimed at improving the security of IT Security systems in use and increasing the detection of attacks.”

The attackers have targeted diplomatic personnel using spear phishing emails impersonating European countries’ embassies with links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.

Websites controlled by APT29 infected victims with the EnvyScout dropper via , which helped deploy downloaders known as and and designed to deliver additional malware, as well as a CobaltStrike Beacon stager named .

SNOWYAMBER and QUARTERRIG were used for reconnaissance to help the attackers evaluate each target’s relevance and determine whether they compromised honeypots or VMs used for malware analysis.

“If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL,” a separate malware analysis report released today .

“HALFRIG, on the other hand, works as a so-called loader – it contains the COBALT STRIKE payload and runs it automatically.”

APT29 attack flow
Attack flow (CERT Polska)

​ is the Russian Foreign Intelligence Service (SVR) hacking division which was also to the that led to the compromise of multiple U.S. federal agencies three years ago.

Since then, the hacking group using stealthy malware that remained undetected for years, including a new malware tracked as TrailBlazer and a variant of the GoldMax Linux backdoor.

Unit 42 has also observed the Brute Ratel adversarial attack simulation tool being used in attacks .

More recently, Microsoft reported that the capable of hijacking Active Directory Federation Services (ADFS) to log in as anyone in Windows systems.

They’ve also targeted in attempts to access foreign policy information and orchestrated targeting governments, embassies, and high-ranking officials across Europe.