Russian state-sponsored hacking group APT29, also known as Nobelium or Cloaked Ursa, has been using unconventional tactics to target diplomats in Ukraine. Palo Alto Network’s Unit 42 has published a report revealing that APT29 has evolved its phishing techniques, using personalized lures to entice diplomats to click on malicious links that deliver malware.
In one recent operation, APT29 used a BMW car advertisement to target diplomats in Kyiv, Ukraine. The malware was delivered through an HTML page via HTML smuggling, which hides malicious payloads in encoded strings within an HTML attachment or webpage. APT29 has also targeted foreign missions in Kyiv, including those of the United States, Canada, Turkey, and several other countries.
The report from Unit 42 details the infection chain employed by APT29. The malicious document, disguised as a car sale advertisement, contained an embedded link that redirected recipients to an HTML page.
This page delivered malicious ISO file payloads using HTML smuggling. The ISO file appeared to contain PNG images but actually contained LNK files that triggered the infection chain. When the victim opened the LNK files, a legitimate executable launched and injected shellcode into the current process in memory using DLL side-loading.
APT29’s phishing campaigns have targeted at least 22 of the 80 foreign missions in Kyiv, leveraging timely incidents and exploiting vulnerabilities to increase their success rate.
As the conflict in Ukraine continues and geopolitical dynamics evolve within NATO, it is expected that Russian cyber espionage groups like APT29 will intensify their efforts to target diplomatic missions.
The use of personalized lures and sophisticated techniques demonstrates APT29’s adaptability and persistence in conducting cyberespionage campaigns. These attacks highlight the need for heightened security measures and awareness among diplomats and organizations to defend against these sophisticated threats.
