Russian state-sponsored hackers, identified as the infamous group APT29, also known as Cozy Bear or Blue Bravo, have been implicated in a recent cyber-espionage campaign targeting embassies and international organizations. This operation, analyzed by Ukraine’s National Cyber Security Coordination Center (NCSCC), took place in September and involved sophisticated tactics similar to those used in previous campaigns, including an operation against embassies in Kyiv in April.
Embassies in the Crosshairs
The primary goal of this campaign was to infiltrate embassy entities, with targets in Azerbaijan, Greece, Romania, and Italy. One of the most notable victims was the major Greek internet provider Otenet. Diplomatic accounts, particularly those associated with the foreign affairs ministries in Azerbaijan and Italy, suffered the most. This focus suggests that Russian intelligence was attempting to gather information regarding Azerbaijan’s strategic activities, especially in the context of the Azerbaijani invasion of the Nagorno-Karabakh region.
Exploiting Vulnerabilities
APT29 leveraged a recently discovered vulnerability in the Windows file archiver tool WinRAR, identified as CVE-2023-3883. This bug, which was exploited by state-controlled hackers connected to Russia and China before being patched, still poses a significant threat due to unpatched versions of the tool. The vulnerability allows attackers to execute arbitrary code through the exploitation of a specially crafted ZIP archive.
Phishing Emails and Novel Techniques
In this campaign, Cozy Bear sent victims phishing emails containing a link to a PDF document and a malicious ZIP file that exploits the WinRAR vulnerability, potentially granting attackers access to the compromised systems. The emails, claiming to have information about the sale of diplomatic BMW cars, were designed to convince targets to open the malicious files. This same lure was used during the group’s attack on the embassies in Kyiv.
Furthermore, the attackers introduced a novel technique for communicating with the malicious server. They used a legitimate tool called Ngrok, which is typically used during web development and testing to provide temporary public URLs for local web servers. However, in this case, cybercriminals deployed it to obfuscate their activities and communicate with compromised systems while evading detection.
APT29’s History of Cyberattacks
APT29 has a history of carrying out cyberattacks against various targets, including the Ukrainian military, political parties, diplomatic agencies, think tanks, and nonprofit organizations. During the war in Ukraine, they launched a spying campaign targeting foreign ministries and diplomatic entities in NATO countries, the European Union, and Africa. Their tactics in these operations were similar to those used in the recent campaign.
Conclusion: A Persistent Cyber Threat
The activities of APT29, particularly in this recent campaign, highlight the ongoing and sophisticated nature of state-sponsored cyber espionage. The use of novel techniques and the exploitation of vulnerabilities underscore the need for constant vigilance and advanced cybersecurity measures. As cyber threats continue to evolve, understanding and preparing for these sophisticated attacks becomes increasingly crucial for national security and international relations.