Western diplomats and government services are currently suffering. Russian hackers have launched phishing campaigns. In it, the perpetrators pose as embassy staff and urge the recipients – Western government services – to go through ‘important policy updates’ as soon as possible, via a rogue URL. Or they try to convince the recipients to let communication go through a command and control server
That writes cybersecurity company Mandiant.
This is how the hackers worked
Between January and March of this year, Mandiant’s security researchers observed multiple phishing campaigns. In all cases, the emails allegedly came from an embassy employee. In reality, it was a Russian hacker who managed to gain access to the email account. In this way, the attackers tried to gain the trust of the receivers.
The compromised email addresses were listed as contact points on embassies’ websites, Mandiant found. The hackers used an HTML smuggling technique to deliver an image or ISO file. These files contain a Windows shortcut file (LNK) that executed a malicious DLL file when the recipient clicked on it. To disguise that, the LNK file was disguised as a text document.
Once activated, the malware connects to Trello through a command and control server to communicate. Once this connection is established, hackers can undetected spy on their target. In this way, they can take screenshots, retrieve credentials through keylogging, monitor network activity, and enable a proxy mode server mode, among other things.
APT 29 responsible for cyber attack
Once the hackers have infiltrated a system, they can gain access to files and accounts that are normally out of their reach within 12 hours. We call this privilege escalation. They explore the network and look for passwords of high-ranking employees. The hackers move laterally by means of Cobalt Strike beacons.
According to security researchers, this method is characteristic of APT29, Russian hackers who are also known as Cozy Bear or Nobelium.
Similarities to attack on SolarWinds
The same attack technique was also used in the SolarWinds cyber attack. The Russian secret service SVR is said to have ordered APT29 to add a backdoor to software called Orion Network Management Tools. This made it possible to eavesdrop on political authorities, local authorities and companies.
Russia has denied the attack from the outset. According to the Russian Foreign Ministry, the accusation was nothing more than an “unfounded attempt by the US media to blame the cyberattacks on Russia” and cast the country in a bad light.
Catch up on more articles here
Follow us on Twitter here