Russian threat actor APT28, also known as ITG05, has been identified in an ongoing cyber espionage campaign targeting entities in at least 13 nations. Tracked by IBM X-Force as ITG05, the group has employed lures related to the Israel-Hamas conflict to deliver a custom backdoor named HeadLace. The campaign’s focus is on European entities with influence over humanitarian aid allocation, employing decoys associated with organizations like the United Nations, the Bank of Israel, the U.S. Congressional Research Service, and the European Parliament.
The infrastructure of ITG05 ensures that only targets from a specific country can receive the malware, indicating a highly targeted approach. Countries affected by the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The threat actor utilizes authentic documents created by academic, finance, and diplomatic centers to facilitate the attacks. This marks a deviation from previous activities and suggests an increased emphasis on a unique target audience involved in emerging policy creation, especially in the realm of global foreign policy centers.
The disclosure of this cyber espionage campaign follows recent reports from Microsoft, Palo Alto Networks Unit 42, and Proofpoint, highlighting APT28’s exploitation of a critical security flaw in Microsoft Outlook (CVE-2023-23397). In that case, the threat actor gained unauthorized access to victims’ accounts within Exchange servers. The use of official documents as lures by ITG05 signifies a strategic shift and indicates the group’s interest in obtaining advanced insight into critical dynamics surrounding the international community’s approach to competing priorities for security and humanitarian assistance. This campaign underscores the persistent and evolving threat posed by nation-state actors engaging in cyber espionage activities with geopolitical motivations.
