Russian Espionage Campaign: Unveiling The Intricacies Of The Latest Incident

Russian espionage campaign – Massive espionage campaign linked to Russia targets diplomatic bodies in NATO member nations, the European Union, and Africa to some degree.

According to Poland’s Military Counterintelligence Service and the CERT Polska team (CERT.PL), the campaign uses spear-phishing with emails impersonating European embassies with links to compromised websites.

This campaign shares similarities with past campaigns, namely “NOBELIUM” and “APT29,” but still uses some unique software that has not been publicly described before.

Additionally, “new tools were used alongside or replacing less effective ones to maintain a high operational tempo,” the Polish advisory said.

Russian Espionage Campaign Phishing Tactics

The campaign utilized spear-phishing to target diplomatic bodies, posing as European embassies in the emails.

Emails had meeting or work invitations and attached documents that linked to a compromised website.

Russian espionage campaign
Email posing as the Polish embassy, Source: The Polish Advisory

The compromised website featured the actor’s unique code, ENVYSCOUT, which employed the HTML Smuggling technique to make it harder to detect the malicious file.

Additionally, the campaign utilized various techniques to get the victim to launch the malware, such as using Windows shortcut files (LNK) and utilizing DLL Sideloading.

Tools Used In Campaign

Various tools were employed throughout the campaign, including SNOWYAMBER, HALFRIG, and QUARTERRIG.

Russian espionage campaign
Source: The Polish Advisory

SNOWYAMBER was used as a downloader, communicating through the Notion7 service to download further malicious files.

QUARTERRIG also acted as a downloader, sending the IP address and user name of the infected workstation to the actor to assess whether it was of interest.

While, HALFRIG was used as a loader and contained the COBALT STRIKE payload, running it automatically.

According to the Advisory, “majority components of the campaign were repeatable.”

Like the use of vulnerable websites belonging to random entities, sending emails with diplomatic themes, and utilizing techniques such as DLL Sideloading and commercial tools COBALT STRIKE and BRUTE RATEL. They also frequently used the ENVYSCOUT tool and ISO and IMG disc images to deliver malware.

Recommendations To Protect Yourself

The Military Counterintelligence Service and CERT.PL strongly advises that the potential targets especially governmental and diplomatic bodies, foreign ministries, embassies, international organizations, and non-governmental organizations promptly adopt recommended configuration changes.

  1. Block the capability to mount disk images on the file system.
  2. Monitor the mounting of disk image files by users with administrator roles.
  3. Enable and configure Attack Surface Reduction Rules.
  4. Configure Software Restriction Policy and prevent executable files from running from unusual locations such as temporary directories, %localappdata%, subdirectories, and external media.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Post navigation

Leave a Reply

Your email address will not be published. Required fields are marked *

Unveiling The Zero-Day Vulnerability: MOVEit Transfer’s Security Under Scrutiny

SEO Poisoning Attacks on Rise in Health Sector

Critical Vulnerability in libwebp Puts Digital World at Risk

Zero-Day Vulnerability Discovered in Chrome; Google Issues Emergency Update