Russian hackers linked to widespread attacks targeting NATO and EU

Russian bear

Poland’s Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government’s Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries.

As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.

“At the time of publication of the report, the campaign is still ongoing and in development,” an advisory published today warns.

“The Military Counterintelligence Service and CERT.PL recommend all entities which may be in the area of interest of the actor to implement mechanisms aimed at improving the security of IT Security systems in use and increasing the detection of attacks.”

The attackers have targeted diplomatic personnel using spear phishing emails impersonating European countries’ embassies with links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.

Websites controlled by APT29 infected victims with the EnvyScout dropper via HTML smuggling, which helped deploy downloaders known as SNOWYAMBER and QUARTERRIG and designed to deliver additional malware, as well as a CobaltStrike Beacon stager named HALFRIG.

SNOWYAMBER and QUARTERRIG were used for reconnaissance to help the attackers evaluate each target’s relevance and determine whether they compromised honeypots or VMs used for malware analysis.

“If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL,” a separate malware analysis report released today reads.

“HALFRIG, on the other hand, works as a so-called loader – it contains the COBALT STRIKE payload and runs it automatically.”

APT29 attack flowAttack flow (CERT Polska)

​APT29 is the Russian Foreign Intelligence Service (SVR) hacking division which was also linked to the SolarWinds supply-chain attack that led to the compromise of multiple U.S. federal agencies three years ago.

Since then, the hacking group has breached other organizations’ networks using stealthy malware that remained undetected for years, including a new malware tracked as TrailBlazer and a variant of the GoldMax Linux backdoor.

Unit 42 has also observed the Brute Ratel adversarial attack simulation tool being used in attacks suspected to be linked to the Russian SVR cyber spies.

More recently, Microsoft reported that the APT29 hackers are using new malware capable of hijacking Active Directory Federation Services (ADFS) to log in as anyone in Windows systems.

They’ve also targeted Microsoft 365 accounts in NATO countries in attempts to access foreign policy information and orchestrated a wave of phishing campaigns targeting governments, embassies, and high-ranking officials across Europe.


  • ThomasMann Photo ThomasMann – 4 days ago

    Unbelievable… these guys are so good! They find things out, they find out everything…
    Russians spying against NATO and USA?

    What will they find out next? That the american government has spies working against Russia?

    Isn’t it amazing ???? They really find out everything !

  • SomePerson Photo SomePerson – 3 days ago

    I would not have expected anything less from Russia.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.26 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,668 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,590 Downloads


Related posts

Kubernetes RBAC abused to create persistent cluster backdoors

Sarah Henriquez

FBI seized domains linked to 48 DDoS-for-hire service platforms

Sarah Henriquez

Twitter failed to log you out of all devices after password resets

Sarah Henriquez

Leave a Comment