Russian APT Hackers Actively Targeting European NATO AlliesEuropean Embassies and Diplomats at Most Risk, Warns Polish CERT
An ongoing cyberespionage campaign tied to a Russian nation-state group is targeting European government agencies and diplomats to steal Western government intelligence on the war in Ukraine, says the Polish CERT and Military Counterintelligence Service.
A Thursday alert from the two governmental agencies warns a campaign tied to Russian APT group Nobelium is targeting government agencies and diplomats associated with NATO and the European Union, and to a lesser extent, African nations.
The Polish agencies say the hackers are targeting victims using spear-phishing emails that appear to come from European embassies, inviting them to a meeting or an event at one of the embassies.
The emails contain malicious documents disguised as calendar invites or a meeting agenda. When victims open these files, they are redirected to a compromised website hosting a trademark Nobelium malware dropper called EnvyScout, which delivers malicious
.iso files to the victim's system.
Nobelium previously used malware hidden in
.iso files, but in the latest campaign, hackers load additional
.img files lacking the Mark of the Web feature, a security measure used to prevent users from downloading malicious files. The malware opens using Windows Explorer without alerting the system users.
Once executed, the malware loads more tools that previously associated with Nobelium, including command-and-control tool SnowyAmber and malware downloader QuarterRig, which then exfiltrate the victim's IP address and other system information.
Hackers use that information to identify potential targets and determine whether they have enabled any antivirus or malware detection tool, the Polish CERT says.
In addition to European government agencies and staff, European nongovernment entities also are at risk of a Nobelium hack, the Polish CERT said. To protect against hacking, the agency recommends blocking disk file mounting capabilities and enabling software restrictions to prevent unprompted file execution.
A recent report from BlackBerry Research and Intelligence says the campaign has been active since early March and targets victims who are using legacy network infrastructure. BlackBerry believes the campaign was likely launched by Russian hackers during the Polish ambassador Marek Magierowski's February visit to the United States.
"We believe the target of Nobelium's campaign is Western countries, especially those in Western Europe, which provide help to Ukraine," BlackBerry researchers wrote.
Nobelium, also known as APT29 and CozyBear, is one of a handful of Russian groups actively engaged in cyber operations against Ukraine and its allies. Researchers believe the group also carried out the SolarWinds supply chain attack discovered in December 2020.