Rewterz Threat Alert -Russian-Linked NOBELIUM APT Group Abuses EU Information Exchange Systems In Attacks Aimed At Government – Active IOCs

Severity

High

Analysis Summary

The recent cyber espionage campaign aimed at EU countries by the Russia-linked APT29 group, also known as Cozy Bear, Nobelium, and The Dukes, is a concerning development. The group has been using legitimate information exchange systems to target diplomatic entities and transmit sensitive information about the region’s politics. The campaign also aimed to aid Ukrainian citizens fleeing the country and provide help to the Ukrainian government. The attacks underscore the importance of robust cybersecurity measures for governments and organizations to protect against sophisticated threats from state-sponsored actors.

The attack chain begins with a spear-phishing email that contains a weaponized document with a link that leads to the download of an HTML file. The HTLM files used in these attacks were hosted on a legitimate online library website that was likely compromised by the threat actors between the end of January 2023 and the beginning of February 2023.

“One of the lures appeals to those who want to find out the Poland Ambassador’s schedule for 2023. It overlaps with Ambassador Marek Magierowski’s recent visit to the United Statesp; specifically, his talk on February 2, where he discussed the war in Ukraine at the Catholic University of America Columbus School of Law, also known as the Catholic Law, which is based in Washington, DC.” according to the analysis published by researchers

Another lure, which the researchers discovered, utilizes many legitimate systems, such as LegisWrite and eTrustEx, which the EU countries employ for safe data transfer and information sharing. LegisWrite is an editing program used by governments within the European Union, which means that threat actors used it in a malicious lure to target state organizations within the EU specifically.

APT29 used a version of NOBELIUM’s dropper, which is tracked as ROOTSAW (aka EnvyScout). EnvyScout employs the HTML smuggling technique to deliver an IMG or ISO file to the victim’s system. This technique involves embedding a file within an HTML file and then using various tricks to make it appear as if the file is part of the legitimate webpage. This allows the attacker to bypass security measures that would typically flag a malicious file as suspicious and prevent it from being downloaded.

“NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland’s Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.”

Furthermore, our initial analysis of weaponized LNK files shows that the threat actor behind this campaign used anti-forensic techniques to wipe out personal metadata to remove information connected to its operations systems.” they conclude

Impact

• Information Theft and Espionage
• Exposure of Sensitive Data

Indicators of Compromise

MD5

• e693777a3a85583a1bbbd569415be09c
• 89f716d32461880cd0359ffbb902f06e
• e0cb8157e6791390463714b38158195a
• cf36bf564fbb7d5ec4cec9b0f185f6c9
• 8d5c0f69c1caa29f8990fbc440ab3388
• 82ecb8474efe5fedcb8f57b8aafa93d2
• 38b05aa4b5ba651ba95f7173c5145270

SHA-256

• 505f1e5aed542e8bfdb0052bbe8d3a2a9b08fc66ae49efbc9d9188a44c3870ed
• c1ebaee855b5d9b67657f45d6d764f3c1e46c1fa6214329a3b51d14eba336256
• dbb39c2f143265ad86946d1c016226b0e01614af35a2c666afa44ac43b76b276
• e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98
• 3a489ef91058620951cb185ec548b67f2b8d047e6fdb7638645ec092fc89a835
• 4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b
• dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df

SHA-1

• 6b0816a0bd5e9fb694bdf5ac0dbb1254dab49acc
• 782adaf89576c642f14eb13df0d9815f33bd7d56
• 77c2539008c390d0960b3077530959e603bc4297
• 8eb64670c10505322d45f6114bc9f7de0826e3a1
• d56edb68f55c4010ebed13b67089370f6b40ffc5
• 3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c
• 01424a07b968b5659c58c6d11f32f01475921a05

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication (MFA) for all users, especially those with privileged access. This can help prevent unauthorized access to sensitive data, even if passwords are compromised.
• Conduct regular security awareness training for employees to help them identify and prevent phishing and social engineering attacks. This includes educating employees about the latest tactics and techniques used by cybercriminals, such as spear-phishing emails that appear to be sent from trusted sources.
• Use network segmentation and firewalls to limit lateral movement within the network. This can help contain the spread of malware and prevent attackers from moving laterally to other systems and applications.
• Regularly patch and update all systems and applications to mitigate known vulnerabilities. This includes implementing security updates as soon as they become available.
• Use advanced threat detection and response tools to monitor network activity and detect signs of compromise. This can help identify and respond to threats in real-time, minimizing the impact of a potential breach.