The Russia-linked APT29 (aka Cozy Bear) threat actor has been attributed to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa.
According to Poland’s Military Counterintelligence Service and the CERT Polska team, the observed activity shares tactical overlaps with a cluster tracked by Microsoft as Nobelium, which is known for its high-profile attack on SolarWinds in 2020.
Nobelium’s operations have been attributed to Russia’s Foreign Intelligence Service (SVR), an organization that’s tasked with protecting “individuals, society, and the state from foreign threats.”
That said, the campaign represents an evolution of the Kremlin-backed hacking group’s tactics, indicating persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering.
“New tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain a continuous, high operational tempo,” the agencies said.
The attacks commence with spear-phishing emails impersonating European embassies that aim to entice targeted diplomats into opening malware-laced attachments under the guise of an invitation or a meeting.
Embedded within the PDF attachment is a booby-trapped URL that leads to the deployment of an HTML dropper called EnvyScout (aka ROOTSAW), which is then used as a conduit to deliver three previously unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
SNOWYAMBER, also referred to as GraphicalNeutrino by Recorded Future, leverages the Notion note-taking service for command-and-control (C2) and downloading additional payloads such as Brute Ratel.
QUARTERRIG also functions as a downloader capable of retrieving an executable from an actor-controlled server. HALFRIG, on the other hand, acts as a loader to launch the Cobalt Strike post-exploitation toolkit contained within it.
It’s worth noting that the disclosure dovetails with recent findings from BlackBerry, which detailed a Nobelium campaign targeting European Union countries, with a specific emphasis on agencies that are “aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.”
