By: Ravie Lakshmanan
A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).
“This latest wave of spear phishing showcases APT29’s enduring interests in obtaining diplomatic and foreign policy information from governments around the world,” Mandiant said in a report published last week.
The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.
These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.
Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian’s Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.
Also employed by APT29 is a tool named BOOMMIC (aka VaporRage) to establish a foothold within the environment, followed by escalating their privileges within the compromised network for lateral movement and extensive reconnaissance of hosts.
What’s more, a subsequent operational shift observed in February 2022 saw the threat actor pivoting away from BEATDROP in favor of a C++-based loader referred to as BEACON, potentially reflecting the group’s ability to periodically alter their TTPs to stay under the radar.
BEACON, programmed in C or C++, is part of the Cobalt Strike framework that facilitates arbitrary command execution, file transfer, and other backdoor functions such as capturing screenshots and keylogging.
The development follows the cybersecurity company’s decision to merge the uncategorized cluster UNC2452 into APT29, while noting the highly sophisticated group’s propensity for evolving and refining its technical tradecraft to obfuscate activity and limit its digital footprint to avoid detection.
Nobelium, notably, breached multiple enterprises by means of a supply chain attack in which the adversary accessed and tampered with SolarWinds source code, and used the vendor’s legitimate software updates to spread the malware to customer systems.
“The consistent and steady advancement in TTPs speaks to its disciplined nature and commitment to stealthy operations and persistence,” Mandiant said, characterizing APT29 as an “evolving, disciplined, and highly skilled threat actor that operates with a heightened level of operational security (OPSEC) for the purposes of intelligence collection.”
The findings also coincide with a special report from Microsoft, which observed Nobelium attempting to breach IT firms serving government customers in NATO member states, using the access to siphon data from Western foreign policy organizations.