top of page

Russia-Linked APT29 (aka Cozy Bear) Targeting Foreign Ministries

A recent cyber espionage campaign has been attributed to the Russia-linked APT29, also known as Cozy Bear. The campaign targets foreign ministries and diplomatic entities located in NATO member states, the European Union, and Africa. Poland's Military Counterintelligence Service and the CERT Polska team say the observed activity shares tactical overlaps with a cluster tracked by Microsoft as Nobelium. Nobelium is known for its high-profile attack on SolarWinds in 2020. Nobelium's operations have been attributed to Russia's Foreign Intelligence Service (SVR), an organization that's tasked with protecting "individuals, society, and the state from foreign threats." The recent campaign represents an evolution of the Kremlin-backed hacking group's tactics, indicating persistent attempts at improving its cyber weaponry to infiltrate victim systems for intelligence gathering. "New tools were used at the same time and independently of each other, or replacing those whose effectiveness had declined, allowing the actor to maintain a continuous, high operational tempo," the agencies said. The attacks commence with spear-phishing emails impersonating European embassies that aim to entice targeted diplomats into opening malware-laced attachments under the guise of an invitation or a meeting. Embedded within the PDF attachment is a booby-trapped URL that leads to the deployment of an HTML dropper called EnvyScout (aka ROOTSAW), which is then used as a conduit to deliver three previously unknown strains SNOWYAMBER, HALFRIG, and QUARTERRIG.


bottom of page