Home News Russia staged a new phishing campaign targeting Western diplomatic institutions

Russia staged a new phishing campaign targeting Western diplomatic institutions

52 second read
0
15,935
Russia staged a new phishing campaign targeting Western diplomatic institutions

Polish military counterintelligence and cybersecurity experts have detected a massive spying cyber campaign aimed at gathering data from diplomatic institutions in various countries around the world. The relevant statement was posted on the Polish government portal. Counterintelligence and cybersecurity experts at CERT.PL associate the campaign with Russia’s main intelligence agency (GRU). The attack targets diplomatic institutions in EU and NATO member countries and, in some episodes, in Africa.

As noted, many elements of this campaign fully or partially echo the activity that Microsoft documented as Nobelium and that Mandiant (a subsidiary of Google) called APT29. Those behind it are likely also associated with the SolarWinds campaign and tools such as Sunburst, EnvyScout, BoomBox, as well as a number of other spy campaigns. However, there are differences – the software used this time was not previously publicly described. This includes modified versions of SNOWYAMBER, HALFRIG, and QUATERRIG. The new tools likely replaced older ones whose effectiveness has decreased.
In all cases identified, typical phishing techniques were used for the campaign: diplomatic institution employees receive emails supposedly from the embassies of another European country, inviting them to a meeting or referring to specific documents.

Phishing email
Phishing email

The body of the email or attached PDF contains a link that redirects to either the ambassador’s calendar or a file that needs to be downloaded. In reality, the link leads to a compromised website with the EnvyScout script, which decodes the malicious file from the page via JavaScript and gets onto the user’s device. Cybersecurity experts have noticed three different versions of EnvyScout used for this campaign. The campaign is ongoing and institutions that may be of interest to attackers should take additional steps to ensure cybersecurity.

It is also noted that the disclosure of this information was made to throw a spanner in the works of the criminal gang.

Leave a Reply

Your email address will not be published. Required fields are marked *