Russia-based APT29 Group Exploited Information Exchange Systems to Attack Governments

Russia-linked APT29 group was recently spotted exploiting legitimate European information exchange systems to launch attacks against government entities.

The cybercrime organization, also known as The Dukes, Cozy Bear, SVR Group and NOBELIUM, launched a ruthless campaign targeting communication systems and diplomatic organizations.

The perpetrators sent spear-phishing emails carrying weaponized documents with embedded malicious download URLs to their targets.

To entice victims to access the link and infect their systems, perpetrators used Poland’s Ambassador’s schedule for 2023 as a lure, along with legitimate systems such as eTrustEx and LegisWrite. They even hosted the malicious file on a legitimate library website, presumably compromised earlier this year.

“LegisWrite is an editing program that allows secure document creation, revision, and exchange between governments within the European Union,” reads Blackberry’s security advisory. “The fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union.”

Accessing the poisoned links would download an HTML file onto the victim’s machine. Upon analysis, researchers revealed that the document was an iteration of NOBELIUM’s dropper, EnvyScout, tracked as ROOTSAW.

Once downloaded, EnvyScout leverages HTML smuggling techniques to drop an additional IMG or ISO file on the compromised machines. The content of the image files included various encrypted strings meant to further the infection, letting perpetrators harvest information, exfiltrate it to a command center, and achieve persistence on the victims’ computers.

“NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war,” concludes Blackberry’s report. “The overlap between Poland's Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.”

Specialized security software such as Bitdefender Ultimate Security can protect you against cyberthreats thanks to its extensive library of features, including:

• Continuous, all-around protection against worms, Trojans, viruses, spyware, rootkits, zero-day exploits, and other e-threats
• Anti-phishing module that detects and blocks websites masquerading as legitimate ones to steal your credentials or assets
• Antispam technology that filters irrelevant, potentially dangerous messages in your local email client’s inbox (Thunderbird, Outlook)
• Advanced threat defense module that monitors active apps on your system and takes instant action upon detecting suspicious activity