Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks

As part of its ongoing invasion of Ukraine, Russian intelligence has once again enlisted the services of hacker group Nobelium/APT29, this time to spy on foreign ministries and diplomats from NATO-member states, as well as other targets in the European Union and Africa.

The timing also dovetails with a spate of attacks on Canadian infrastructure, also believed to be linked to Russia.

The Polish Military Counterintelligence Service and the CERT team in Poland issued an alert on April 13, along with indicators of compromise, warning potential targets of the espionage campaign about the threat. Nobelium, as the group is designated by Microsoft, also named APT29 by Mandiant, isn't new to the nation-state espionage game, the group was behind the infamous SolarWinds supply chain attack nearly three years ago.

Now, APT29 is back with a whole new set of malware tools and reported marching orders to infiltrate the diplomatic corps of countries supportive of Ukraine, the Polish military and CERT alert explained.

APT29 Is Back With New Orders

In every instance, the advanced persistent threat (APT) begins its attack with a well-conceived spear-phishing email, according to the Polish alert.

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents."

The message would then direct the recipient to click on a link or download a PDF to access the ambassador's calendar, or get meeting details — both send the targets to a malicious site loaded with the threat group's "signature script," which the report identifies as "Envyscout."

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish authorities added. "This makes the malicious file more difficult to detect on the server side where it is stored."

The malicious site also sends the targets a message reassuring them they downloaded the correct file, the alert said.

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, tells Dark Reading about the campaign. "This espionage campaign meets all of the criteria for success."

One phishing email, for instance, impersonated the Polish embassy, and, interestingly, throughout the course of the observed campaign, the Envyscout tool was tweaked three times with obfuscation improvements, the Polish authorities noted.

Once compromised, the group uses modified versions of Snowyamber downloader, Halfrig, which runs Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, the Polish alert said.

"We are seeing an increase in these attacks where the bad actor uses multiple stages in a campaign to adjust and improve success," Harr adds. "They employ automation and machine learning techniques to identify what is evading detection and modify subsequent attacks to improve success."
Governments, diplomats, international organizations, and non-governmental organizations (NGOs) should be on high alert for this, and other, Russian espionage efforts, according to Polish cybersecurity authorities.

"The Military Counterintelligence Service and CERT.PL strongly recommend that all entities that may be in the actor's area of interest implement configuration changes to disrupt the delivery mechanism that was used in the described campaign," officials said.

Russian-Linked Attacks on Canada's Infrastructure

Besides warnings from Polish cybersecurity officials, over the past week, Canada's Prime Minister Justin Trudeau made public statements about a recent spate of Russian-linked cyberattacks aimed at Canadian infrastructure, including denial-of-service attacks on Hydro-Québec, electric utility, the website for Trudeau's office, the Port of Québec, and Laurentian Bank. Trudeau said the cyberattacks are related to Canada's support of Ukraine.

"A couple of denial-of-service attacks on government websites, bringing them down for a few hours, is not going to cause us to rethink our unequivocal stance of doing whatever it takes for as long as it takes to support Ukraine," Trudeau said, according to reports.

The Canadian Centre for Cyber Security boss, Sami Khoury, said at a news conference last week that while there was no damage done to Canada's infrastructure, "the threat is real.""If you run the critical systems that power our communities, offer Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't do without, you must protect your systems," Khoury said. "Monitor your networks. Apply mitigations."

Russia's Cybercrime Efforts Rage On

As Russia's invasion of Ukraine wages on into its second year, Mike Parkin with Vulcan Cyber says the recent campaigns should hardly be a surprise.

"The cybersecurity community has been watching the fallout and collateral damage from the conflict in Ukraine since it started, and we've known Russian and pro-Russian threat actors were active against Western targets," Parkin says. "Considering the levels of cybercriminal activity we were already dealing with, [these are] just some new tools and new targets — and a reminder to make sure our defenses are up to date and properly configured."