It has been attributed to the Russia-linked Advanced Persistent Threat (APT) actor, APT29 (also known as Cozy Bear), that a cyber espionage campaign is currently ongoing, targeting foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. According to Poland’s Military Counterintelligence Service and the CERT Polska team, the observed activity is similar to a cluster tracked by Microsoft as Nobelium, which is known for its high-profile attack on SolarWinds in 2020. It is believed that Nobelium’s operations are associated with Russia’s Foreign Intelligence Service (SVR), an organization tasked with protecting “individuals, society, and the state from foreign threats.” This campaign is indicative of the Kremlin-backed hacking group’s persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering. The agencies stated that “new tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain a continuous, high operational tempo.”
Beginning with spear-phishing emails impersonating European embassies, an attack has been launched with the intent of enticing targeted diplomats into opening malware-laced attachments disguised as invitations or meeting notifications. Upon opening the PDF attachment, a booby-trapped URL is revealed, leading to the deployment of an HTML dropper known as EnvyScout (also referred to as ROOTSAW). This dropper is then used to deliver three previously unknown strains: SNOWYAMBER, HALFRIG, and QUARTERRIG. SNOWYAMBER, also referred to as GraphicalNeutrino by Recorded Future, utilizes the Notion note-taking service for command-and-control (C2) and downloading additional payloads, such as Brute Ratel. QUARTERRIG functions as a downloader, capable of retrieving an executable from an actor-controlled server, while HALFRIG acts as a loader, launching the Cobalt Strike post-exploitation toolkit contained within it. It is worth noting that these findings coincide with recent discoveries from BlackBerry, which detailed a Nobelium campaign targeting European Union countries, with a focus on agencies aiding Ukrainian citizens fleeing the country and providing assistance to the government of Ukraine.
