Russian threat actors are reportedly involved in an ongoing campaign that targets the foreign affairs ministries of NATO-aligned nations. This campaign employs phishing attacks that utilize PDF documents with diplomatic-themed lures, some of which are crafted to appear as if they originate from Germany. The purpose is to deliver a variant of the Duke malware, which has been attributed to the APT29 group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes.
“The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic.”, researchers added
The involvement of APT29 is further corroborated by the use of the domain “bahamas.gov[.]bs” across intrusion sets, aligning with previous research. The group’s modus operandi includes leveraging legitimate internet services for their command-and-control infrastructure, such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello.
APT29 typically targets governments, government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. Notably, a separate, unidentified adversary has been observed using APT29-like tactics to breach Chinese-speaking users through Cobalt Strike.
Simultaneously, Ukraine’s Computer Emergency Response Team (CERT-UA) has reported phishing attacks against state organizations using the open-source post-exploitation toolkit called Merlin. The country has faced sustained cyberattacks from Sandworm, a Russian military intelligence-affiliated hacking unit, known for disrupting operations and gathering intelligence.
The Security Service of Ukraine recently revealed attempts by threat actors to gain unauthorized access to Android tablets belonging to Ukrainian military personnel. This underscores the strategic importance of capturing and examining devices on the battlefield, with malware strains such as NETD, DROPBEAR, STL, DEBLIND, and Mirai being used to achieve persistence, remote access, data gathering, exfiltration, and control via a TOR hidden service.
In summary, the campaign by Russian threat actors targeting foreign affairs ministries highlights their use of diplomatic-themed lures and advanced malware to compromise sensitive networks. These actors exhibit a history of using diverse techniques and legitimate services for their attacks, underscoring the need for robust cybersecurity measures and vigilance against evolving threats.