A state-sponsored Russian hacking group has been observed attacking several diplomatic and government entities in the following regions:-
- Europe
- America
- Asia
This attack is part of a series of phishing campaigns that were started on 17th January 2022. A hacking group called APT29 (aka Cozy Bear, Dukes, and Yttrium) has been attributed to the attacks by threat intelligence and incident response firm Mandiant.
The Russian Foreign Intelligence Service is believed to sponsor APT29 and during the SolarWinds Cyberattack 2020, cybercriminals were able to penetrate hundreds of organizations, leading to hundreds of breaches.
Here’s what Mandiant stated in last week’s report:-
“Spear-phishing is the latest wave of phishing attacks by APT29, which aims to obtain diplomatic data and foreign policy information from governments all over the world.”
Initial Access
It is believed that APT29 sent spear-phishing emails disguised as embassy administrative updates in order to gain access to the victim’s environment. These phishing emails used emails from other diplomatic entities that were legitimate, but had been compromised by malicious hackers.
While the cybersecurity firm, Mandiant suspected that APT29 targeted large lists of recipients listed publicly by embassy personnel as points of contact.
There was an HTML dropper present in all these phishing emails known as ROOTSAW that could be used to drop malicious HTML code by the threat actors. Here, an IMG or ISO file is delivered to a victim system through HTML smuggling by the threat actors.
A computer system that has been infected with ROOTSAW will be infested by a process that starts an infection sequence which will run a downloader called BEATDROP as soon as it is opened.
Phishing chain
BEATDROP is a piece of software written in C intended to retrieve malware from a remote command-and-control server, which can be accessed via a remote desktop.
The attackers achieve this by exploiting Atlassian’s Trello service to store victim data and obtain shellcode payloads that are encrypted with AES and then executed upon victim login.
Additionally, to gain a foothold within the environment, APT29 operators also used a tool named BOOMMIC (also known as VaporRage).
The threat actor pivots away from BEATDROP in favor of BEACON, a C++-based loader observed in February 2022, and this is thought to be the result of a subsequent operational shift observed in February 2022.
Cobalt Strike is a framework that facilitates several key capabilities by virtue of BEACON, a program written in C or C++, and here below we have mentioned all the capabilities:-
- Arbitrary command execution
- File transfer
- Capturing screenshots
- Keylogging
It should also be noted that the findings also correlate with a special report published by Microsoft, which also reported Nobelium’s attempts to breach IT firms.
While it appears that all of these IT firms primarily serve the government customers of NATO member countries. But, here the hackers snatch the information from these Western foreign policy organizations and use it for their own purposes.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
