Related to Russia APT29 (aka Cozy Bear) the threat actor has been linked to an ongoing cyber espionage campaign targeting foreign ministries and diplomatic entities located in NATO member countries, the European Union, and Africa.
According to the Polish Military Counterintelligence Service and the Polska CERT team, the observed activity shares tactical overlap with a cluster tracked by Microsoft as Nobelium, known for the high-profile attack against SolarWinds in 2020.
Operation Nobelium has been linked to the Russian Foreign Intelligence Service (SVR), an organization tasked with protecting “individuals, communities and countries from foreign threats”.
That said, the campaign was an evolution of the tactics of a Kremlin-backed hacker group, which demonstrated its persistent efforts to leverage its cyber arsenal to infiltrate victims’ systems for intelligence gathering.
“New tools are used at the same time and independently of each other, or replace tools whose effectiveness has decreased, enabling actors to maintain a high and continuous operational tempo,” the agency said. said.
The attacks started with spear-phishing emails posing as European embassies that aimed to persuade the targeted diplomats to open attachments containing malware under the guise of invitations or meetings.
Embedded in the attached PDF is a trap URL that leads to an implementation of an HTML dropper called EnvyScout (aka ROOTSAW), which is then used as a conduit to deliver three previously unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.
SNOWYAMBER, also referred to as GraphicalNeutrino by Recorded Future, leverages the Notion logger service for command-and-control (C2) and additional payload downloads such as Brute Ratel.
QUARTERRIG also functions as a downloader capable of fetching executable files from actor controlled servers. HALFRIG, on the other hand, acts as a loader to launch the Cobalt Strike post-exploit toolkit it contains.
It’s worth noting that the disclosures match BlackBerry’s latest findings, which detail a Nobelium campaign targeting European Union countries, with a particular emphasis on agencies that “assist Ukrainian citizens who fled the country, and provide assistance to the government of Ukraine.”