Rewterz Threat Alert – Targeting NATO-Aligned Nations: Russian Threat Actors Focus on Ministries of Foreign Affairs – Active IOCs

Severity

High

Analysis Summary

Russian threat actors are reportedly involved in an ongoing campaign that targets the foreign affairs ministries of NATO-aligned nations. This campaign employs phishing attacks that utilize PDF documents with diplomatic-themed lures, some of which are crafted to appear as if they originate from Germany. The purpose is to deliver a variant of the Duke malware, which has been attributed to the APT29 group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes.

“The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic.”, researchers added

The attack sequence involves an attachment named “Farewell to Ambassador of Germany,” which includes JavaScript code to initiate a multi-stage process for establishing a persistent backdoor within compromised networks. The use of Zulip, an open-source chat application, for command-and-control purposes allows the threat actor to hide their activities behind legitimate web traffic. The compromised networks communicate with an actor-controlled chat room, indicating remote control over the compromised hosts.

The involvement of APT29 is further corroborated by the use of the domain “bahamas.gov[.]bs” across intrusion sets, aligning with previous research. The group’s modus operandi includes leveraging legitimate internet services for their command-and-control infrastructure, such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello.

APT29 typically targets governments, government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. Notably, a separate, unidentified adversary has been observed using APT29-like tactics to breach Chinese-speaking users through Cobalt Strike.

Simultaneously, Ukraine’s Computer Emergency Response Team (CERT-UA) has reported phishing attacks against state organizations using the open-source post-exploitation toolkit called Merlin. The country has faced sustained cyberattacks from Sandworm, a Russian military intelligence-affiliated hacking unit, known for disrupting operations and gathering intelligence.

The Security Service of Ukraine recently revealed attempts by threat actors to gain unauthorized access to Android tablets belonging to Ukrainian military personnel. This underscores the strategic importance of capturing and examining devices on the battlefield, with malware strains such as NETD, DROPBEAR, STL, DEBLIND, and Mirai being used to achieve persistence, remote access, data gathering, exfiltration, and control via a TOR hidden service.

In summary, the campaign by Russian threat actors targeting foreign affairs ministries highlights their use of diplomatic-themed lures and advanced malware to compromise sensitive networks. These actors exhibit a history of using diverse techniques and legitimate services for their attacks, underscoring the need for robust cybersecurity measures and vigilance against evolving threats.

Impact

• Remote Access
• Information Theft and Espionage
• Reputational Damage

Indicators of Compromise

Domain Name

• toyy.zulipchat.com
• sgrhf.org.pk
• edenparkweddings.com

MD5

• 50f57a4a4bf2c4b504954a36d48c99e7
• 5e1389b494edc86e17ff1783ed6b9d37
• d817f36361f7ac80aba95f98fe5d337d

SHA-256

• b6d26c5b2b2300fa8bf784919638ba849805896cf969c5c330668b350907c148
• 7fc9e830756e23aa4b050f4ceaeb2a83cd71cfc0145392a0bc03037af373066b
• 4c7d0e8478a0a8df824c391ebee227c42930f258d2d55b06f8969931cb07a31e

SHA-1

• 5e58f3ce5b42d1b3c1658bdc9db5b27b4993a3cf
• fa71d067f8187a023334c5503e66fd9be2b73698
• 6837abcb19ac56e311a6eeda2429dcb451b611a1

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Advise users to be cautious when opening attachments or clicking on links in emails, especially those from unknown sources.
• Employ robust email filtering solutions to automatically detect and block phishing emails, preventing them from reaching users’ inboxes.
• Conduct regular training and awareness programs for employees to educate them about phishing techniques and social engineering tactics.
• Ensure that operating systems, applications, and software are kept up-to-date with the latest security patches to address known vulnerabilities that threat actors might exploit.
• Implement network segmentation to isolate critical systems and sensitive data from potentially compromised areas, limiting lateral movement for attackers.
• Enforce MFA for all critical systems and accounts to add an extra layer of security, preventing unauthorized access even if credentials are compromised.
• Deploy advanced endpoint security solutions, including Endpoint Detection and Response (EDR) tools, to detect and respond to suspicious activities on endpoints.
• Implement web filtering solutions that block access to malicious websites and URLs, reducing the chances of users falling victim to phishing links.
• Develop a comprehensive incident response plan that outlines the steps to take in case of a breach. Regularly test and update the plan to ensure effectiveness.
• Conduct regular security audits and penetration tests to identify vulnerabilities and weaknesses in your infrastructure and applications.
• Evaluate the security practices of vendors and third parties that have access to your systems and data, as they can be potential attack vectors.
• Continuously monitor network traffic, user behavior, and system logs for signs of suspicious or unauthorized activities.
• Collaborate with cybersecurity organizations, governmental agencies, and industry groups to share information about emerging threats and best practices.
• Regularly back up critical data and systems, keeping backups offline and inaccessible to potential attackers. This ensures that data can be restored in case of a successful attack.