Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

European Governments Targeted in Russian Espionage Campaign

Russian Foreign Intelligence Service Targets Diplomatic and Foreign Policy Entities
European Governments Targeted in Russian Espionage Campaign
Image: Pixabay

A Russian intelligence hacking campaign actively targeted European diplomats and think tanks as part of an espionage operation that lasted nearly six months.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Researchers at Recorded Future first uncovered the campaign in January and disclosed its findings in a Thursday report. The U.S. federal government in 2021 linked the threat group, widely known as CozyBear or APT29, to the Russian Foreign Intelligence Service. Recorded Future tracks the group as BlueBravo.

The researchers said hackers had designed the campaign to target diplomatic and foreign policy institutions across Eastern Europe. The campaign, which remained active through June, mainly used spear-phishing emails that appeared to come from embassies across Eastern European nations and invited targeted individuals to take part in an event.

The hacking began once the victims enabled malicious macros embedded within the phishing emails. The hackers deployed updated versions of three custom malware apps - dubbed QuarterRig, GraphicalNeutrino and GraphicalProton - to exfiltrate sensitive data.

One characteristic of APT29 is how it blends in malicious traffic with legitimate traffic in order to evade detection. A newly spotted sample of GraphicalProton also used Microsoft's OneDrive for command and control.

In the case of GraphicalNeutrino, the researchers said, hackers used advanced capabilities such as sandbox evasion and API unhooking to prevent detection. The malware also used the note-taking web application Notion for C2 communication.

In April, the Polish CERT and Military Counterintelligence Service warned of an APT29 campaign that had used that used EnvyScout malware to target diplomats associated with NATO and the European Union (see: Russian APT Hackers Actively Targeting European NATO Allies).

Based on the group's activities, Recorded Future researchers estimate BlueBravo will continue to upgrade its malware's capabilities as part of espionage campaigns across Europe.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.