A sophisticated cyberattack orchestrated by a hacking group with ties to Russia is currently underway, targeting European diplomats through meticulously crafted deception.
According to Check Point Research, the Advanced Persistent Threat (APT) group known as APT29 – also referred to as Midnight Blizzard, the Dukes, or Cozy Bear – is employing an innovative “advanced phishing campaign.” This scheme lures potential victims with invitations to seemingly legitimate wine tasting events.
The tactic involves a deceptive impersonation of a prominent European Ministry of Foreign Affairs. Recipients are prompted to click on web links that ultimately lead to the installation of a new backdoor malware dubbed GRAPELOADER.
“This campaign appears specifically designed to compromise European diplomatic entities, including embassies from nations outside of Europe,” stated Check Point Research in their advisory.
Emails used in this deceptive scheme utilize subject lines intended to appear innocuous, such as “Wine tasting event (update date),” “For Ambassador’s Calendar,” and “Diplomatic dinner.”
The U.S. Cybersecurity and Infrastructure Security Agency has previously identified APT29 as a cyber espionage group with strong connections to the SVR, a branch of Russian intelligence services.
APT29 is known for its ability to target high-profile organizations, including government agencies and think tanks, utilizing a wide range of both custom-built and commercially available malware. Their tactics extend beyond targeted phishing campaigns to encompass complex supply chain attacks.
- The campaign has been observed impacting multiple European countries with a particular focus on Ministries of Foreign Affairs and embassies.
- There is evidence suggesting limited targeting outside of Europe, including diplomats located in the Middle East.
The initial phase of these phishing attacks began in January 2024.
Perseverance appears to be a key element in APT29’s strategy; if an initial email fails to elicit a response, follow-up emails are dispatched to increase the chances of a successful compromise.
The servers hosting these malicious links have been designed with robust protection against conventional scanning and automated analysis tools. Malicious downloads are triggered under specific conditions, potentially linked to time or geographic location. When accessed directly, the link redirects users to the official website that is being impersonated.
At this time, it remains unclear whether any of these phishing attacks have been successful in their objective.
