A Russian state-sponsored threat actor has been observed targeting diplomatic and government entities as part of a series of phishing campaigns commencing on January 17, 2022.
Threat intelligence and incident response firm Mandiant attributed the attacks to a hacking group tracked as APT29 (aka Cozy Bear), with some set of the activities associated with the crew assigned the moniker Nobelium (aka UNC2452/2652).
"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," the Mandiant said in a report published last week.
The initial access is said to have been aided through spear-phishing emails masquerading as administrative notices, using legitimate but compromised email addresses from other diplomatic entities.
These emails contain an HTML dropper attachment called ROOTSAW (aka EnvyScout) that, when opened, triggers an infection sequence that delivers and executes a downloader dubbed BEATDROP on a target system.
Written in C, BEATDROP is designed to retrieve next-stage malware from a remote command-and-control (C2) server. It achieves this by abusing Atlassian's Trello service to store victim information and fetch AES-encrypted shellcode payloads to be executed.
russian hackers targeting diplomatic entities europe americas
