Security analysts from Mandiant have issued a concerning alert following their discovery of Russia’s APT29 hacking group targeting political parties in Germany. This development marks a significant departure from their usual focus on diplomatic figures, signaling a broader operational shift.
The hackers, linked to Russia’s foreign intelligence service (SVR), employed a sophisticated approach, utilizing phishing lures and a new backdoor named Wineloader in their multi-stage malware attack. Mandiant’s investigation revealed that the APT29 group initiated their attack by sending phishing emails to potential victims, disguised as invitations to a dinner reception hosted by Germany’s Christian Democratic Union (CDU).
These emails contained malicious links leading to a ZIP file harboring a malware dropper called Rootsaw, hosted on a compromised website controlled by the attackers. Once executed, this dropper facilitated the installation of Wineloader, a backdoor previously utilized in attacks targeting diplomatic entities across various countries.
The utilization of German-language lure documents is particularly concerning, as it suggests a tailored approach towards domestic targets, a departure from their typical foreign-focused operations.
This shift underscores the group’s adaptability and their capability to evolve their tactics in line with geopolitical dynamics. Moreover, Mandiant warns of APT29’s multifaceted approach, which includes attempts to compromise cloud-based authentication systems and employ brute force techniques like password spraying against Western targets, posing a pervasive threat to political entities across Europe and beyond.
