APT29 Hackers Use Unusual Baits to Target Diplomats in Ukraine
The Russian-speaking hack group APT29 (aka Nobelium and Cloaked Ursa) has been using unusual baits for their attacks, according to the Palo Alto Network. In a recent campaign, the hackers used an advertisement for the sale of a BMW car to target diplomats working in Kyiv.
APT29 Refines Its Phishing Tactics
The researchers write that APT29 has recently refined its phishing tactics and is now using more personal baits targeted at specific recipients of malicious emails.
Malicious Links Sent to Diplomats in Ukraine
In one of the latest APT29 campaigns, discovered by experts in May 2023, attackers used an advertisement for the sale of a BMW car to attack diplomats working in Kyiv.
The message about the sale of the car was sent to the email addresses of diplomats and imitated a real announcement, which two weeks earlier was distributed among colleagues by a Polish diplomat who was preparing to leave Ukraine.
If the recipient clicked on a link embedded in a malicious document that promised more photos, they were redirected to an HTML page that delivered a malicious ISO payload to the victim’s system using HTML smuggling.
This ISO file, in turn, allegedly contained nine LNK files and started the infection chain.
When the victim opened any of the LNK files, it would launch a legitimate executable that used DLL side-loading to inject shellcode into the current process in memory.
Targeted Embassies in Kyiv
Analysts write that this campaign targeted at least 22 of the 80 embassies in Kiev, including the diplomatic missions of the United States, Canada, Turkey, Spain, the Netherlands, Greece, Estonia and Denmark. At the same time, approximately 80% of the email addresses of the victims were freely available on the Internet, while the remaining 20% were apparently obtained by hackers by compromising accounts and collecting intelligence.
The use of such unusual baits by APT29 is a reminder of the importance of cyber security for diplomats and other government officials. It is essential that they remain vigilant and take all necessary precautions to protect their systems and data from malicious actors.