The Polish Military Counterintelligence Service and CERT cybersecurity taskforce have discovered a group of Russian hackers impersonating representatives of embassies of various European countries to spy on foreign ministries and diplomats from NATO member states, the European Union and Africa. Polish authorities linked the large-scale campaign to Russian intelligence services and the hacker group Nobelium/APT29, the threat group behind the SolarWinds supply chain attacks in 2019.
The group sends phishing emails with attachments or links — meeting details or links to an ambassador’s calendar, for example — that send users to a malicious site. A new type of software then decodes a malicious file using JavaScript and downloads it to the victim’s device. The malicious site also sends a message reassuring victims they downloaded the correct file.
The group’s HTML-smuggling technique makes malicious files difficult to detect on the server side where it is stored. In fact, the group uses automation and machine learning to tweak messages and techniques over multiple campaign stages to better evade detection and improve success.
Impact
Government entities, diplomatic entities, foreign ministries, embassies, diplomatic staff and people working in international entities, international organizations and non-governmental organizations are most at risk for these latest attacks. However, Nobelium/APT29 does not limit its activity to government-related bodies, and all organizations need to be alert for the group’s increasingly sophisticated methods.
DXC perspective
These attacks have the hallmarks of successful spear-phishing: well written communications that incorporate personal information and appear to come from a legitimate source. Ongoing employee training, effective digital identity management and a robust cyber defense program help. We also recommend that organizations implement the configuration changes detailed by the Military Counterintelligence Service to disrupt the campaign’s delivery mechanism.