Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks

  /     /     /  
Publicated : 23/11/2024   Category : security


Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks


The threat group behind the SolarWinds supply chain attacks is back with new tools for spying on officials in NATO countries and Africa.



As part of its ongoing invasion of Ukraine, Russian intelligence has once again enlisted the services of hacker group Nobelium/APT29, this time to spy on foreign ministries and diplomats from NATO-member states, as well as other targets in the European Union and Africa.
The timing also dovetails with a spate of attacks on Canadian infrastructure, also believed to be linked to Russia.
The Polish Military Counterintelligence Service and the CERT team in Poland issued an alert on April 13, along with indicators of compromise, warning potential targets of the espionage campaign about the threat.
Nobelium
, as the group is designated by Microsoft, also named
APT29 by Mandiant
, isnt new to the nation-state espionage game, the group was behind the infamous
SolarWinds supply chain attack
nearly three years ago.
Now, APT29 is back with a whole new set of malware tools and reported marching orders to infiltrate the diplomatic corps of countries supportive of Ukraine, the Polish military and CERT alert explained.
In every instance, the advanced persistent threat (APT) begins its attack with a well-conceived spear-phishing email, according to the Polish alert.
Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts, authorities explained. The correspondence contained an invitation to a meeting or to work together on documents.
The message would then direct the recipient to click on a link or download a PDF to access the ambassadors calendar, or get meeting details — both send the targets to a malicious site loaded with the threat groups signature script, which the report identifies as Envyscout.
It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victims device, Polish authorities added. This makes the malicious file more difficult to detect on the server side where it is stored.
The malicious site also sends the targets a message reassuring them they downloaded the correct file, the alert said.
Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source, Patrick Harr, CEO of SlashNext, tells Dark Reading about the campaign. This espionage campaign meets all of the criteria for success.
One
phishing email
, for instance, impersonated the Polish embassy, and, interestingly, throughout the course of the observed campaign, the Envyscout tool was tweaked three times with obfuscation improvements, the Polish authorities noted.
Once compromised, the group uses modified versions of Snowyamber downloader, Halfrig, which runs
Cobalt Strike
as embedded code, and Quarterrig, which shares code with Halfrig, the Polish alert said.
We are seeing an increase in these attacks where the bad actor uses multiple stages in a campaign to adjust and improve success, Harr adds. They employ automation and machine learning techniques to identify what is evading detection and modify subsequent attacks to improve success.
Governments, diplomats, international organizations, and non-governmental organizations (NGOs) should be on high alert for this, and other, Russian espionage efforts, according to Polish cybersecurity authorities.
The Military Counterintelligence Service and CERT.PL strongly recommend that all entities that may be in the actors area of interest implement configuration changes to disrupt the delivery mechanism that was used in the described campaign, officials said.
Besides warnings from Polish cybersecurity officials, over the past week, Canadas Prime Minister Justin Trudeau made public statements about a recent spate of
Russian-linked cyberattacks
aimed at Canadian infrastructure, including
denial-of-service attacks
on Hydro-Québec, electric utility, the website for Trudeaus office, the Port of Québec, and Laurentian Bank. Trudeau said the cyberattacks are related to Canadas support of Ukraine.
A couple of denial-of-service attacks on government websites, bringing them down for a few hours, is not going to cause us to rethink our unequivocal stance of doing whatever it takes for as long as it takes to support Ukraine, Trudeau said,
according to reports
.
The Canadian Centre for Cyber Security boss, Sami Khoury, said at a news conference last week that while there was no damage done to Canadas infrastructure, the threat is real.If you run the critical systems that power our communities, offer Internet access to Canadians, provide health care, or generally operate any of the services Canadians cant do without, you must protect your systems, Khoury said. Monitor your networks. Apply mitigations.
As Russias invasion of Ukraine wages on into its second year, Mike Parkin with Vulcan Cyber says the recent campaigns should hardly be a surprise.
The cybersecurity community has been watching the fallout and collateral damage from the conflict in Ukraine since it started, and weve known Russian and pro-Russian threat actors were active against Western targets, Parkin says. Considering the levels of cybercriminal activity we were already dealing with, [these are] just some new tools and new targets — and a reminder to make sure our defenses are up to date and properly configured.

Last News

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks