The cyber espionage group APT29, also known as Cozy Bear, which has links to Russia, has been involved in a series of cyberattacks targeting foreign ministries and diplomatic organizations in NATO member countries, the European Union, and Africa. This information comes from Poland's Military Counterintelligence Service and the CERT Polska team, who have observed that the group's tactics closely resemble those of a cluster called Nobelium, tracked by Microsoft. Nobelium is infamous for its high-profile attack on SolarWinds in 2020.
Nobelium's operations have been connected to Russia's Foreign Intelligence Service (SVR), an agency responsible for safeguarding individuals, society, and the state from foreign threats. The campaign demonstrates the Kremlin-backed hacking group's evolving tactics and persistent efforts to enhance its cyber arsenal for intelligence gathering purposes.
According to the agencies, the group employed new tools either concurrently or independently, replacing older, less effective tools to maintain a high operational tempo. The attacks begin with spear-phishing emails that impersonate European embassies, intending to trick targeted diplomats into opening malware-infected attachments disguised as invitations or meeting requests.
These attachments, which are PDF files, contain a malicious URL that triggers the deployment of an HTML dropper called EnvyScout (also known as ROOTSAW). EnvyScout then serves as a vehicle to deliver three previously unknown strains: SNOWYAMBER, HALFRIG, and QUARTERRIG.
SNOWYAMBER, also called GraphicalNeutrino by Recorded Future, uses the Notion note-taking service for command-and-control (C2) communication and downloads additional payloads, such as Brute Ratel. QUARTERRIG functions as a downloader capable of retrieving an executable from a server controlled by the threat actor. Meanwhile, HALFRIG operates as a loader, initiating the Cobalt Strike post-exploitation toolkit contained within it.
These revelations align with recent findings from BlackBerry, which disclosed a Nobelium campaign targeting European Union countries. The campaign specifically focuses on agencies assisting Ukrainian citizens fleeing the country and providing support to the Ukrainian government.