• Tue. Apr 16th, 2024

Russia-Connected Hackers Spy on Foreign Diplomatic Organizations

Avatar photo

ByHarper Stewart

May 1, 2023
Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities
Harper Stewart
Latest posts by Harper Stewart (see all)

Attacks against international organizations based in NATO member states, the European Union, and Africa are being targeted specifically by the hacking team APT29 (known as Cozy Bear), which is believed to have ties to Russia.

Following Poland’s Military Counterintelligence Agency and the CERT Polska team, the detected act shows tactical parallels with a complex referred to by Microsoft as Nobelium, which is famous for its advanced cyber attack on SolarWinds in 2020.

The Russian Foreign Intelligence Agency (SVR) that is accountable for safeguarding “individuals, society, and the state from outside hazards,” has been accused of controlling Nobelium.

Yet, the campaign shows a development in the Kremlin-tied hacker gang strategies and shows continual efforts to enhance its use of cyberweapons to compromise target systems and gather intelligence.

The agencies said: “New tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain a continuous, high operational tempo”.

Contaminated Software

In order to trick targeted politicians into clicking on the malware-laced attachments under the pretense of an invitation or a meeting, phishing emails that seem to be sent from European embassies served as the first stage of the attack.

The PDF attachment includes a booby-trapped URL that launches the HTML dropper EnvyScout (also known as ROOTSAW), which is then used to distribute the three recently discovered extracted SNOWYAMBER, HALFRIG, and QUARTERRIG.

SNOWYAMBER downloads Brute Ratel and other payloads using the Notion note-taking software for command-and-control. Recorded Future is also named GraphicalNeutrino.

In addition, QUARTERRIG serves as an installer that can obtain an application from a server that is under the command of an attacker. The Cobalt Strike post-exploitation toolset is launched by HALFRIG, which functions as a loader.

Attack Relation with the Ukraine

It’s also important to keep in mind that the statement is accurate with BlackBerry’s most recent research, which exposed a Nobelium campaign that targeted nations in the European Union, with a disturbing focus on organizations that “aid Ukrainian citizens fleeing the country, and provide support to the administration of Ukraine.”

Avatar photo

Harper Stewart

With a deep understanding of the complexities of the Dark Web, Harper curates informative and thought-provoking content for our readers. Her knowledge of the hidden corners of the internet and cybersecurity helps shed light on the often mysterious and illicit activities that take place in this realm.