The US security firm Mandiant, a subsidiary of Google owner Alphabet, said in a report on Friday that it had detected APT29 engaging in a phishing campaign aimed at German political parties.
The group attempted to deceive “key German political figures” by sending emails posing as invitations to a purported 1st March dinner event hosted by the opposition conservative Christian Democratic Union (CDU) party.
“To take part in the event, please fill out a questionnaire and send it by email in the next few days,” the message in the email stated, according to German newspaper Der Spiegel.
The message even mentioned the appropriate outfit for the event. “Dress code: business smart.”
Germany’s cyber agency BSI circulated an alert, echoing similar concerns, indicating that state-backed cyber spies aimed to establish long-term access to German political networks for the purpose of exfiltrating sensitive data.
Mandiant said the campaign used the APT29’s signature first-stage payload, ROOTSAW (aka EnvyScout), to deliver a newly identified backdoor variant named WINELOADER. The deceptive emails contained German-language lure documents bearing the CDU logo.
Victims who fell prey to the phishing attempt were directed to a malicious ZIP file hosted on an actor-controlled compromised website. This ZIP file contained the ROOTSAW dropper, which facilitated the delivery of subsequent malicious payloads.
The CDU stated that this wasn’t its first encounter with such attempts, and that they “received very prompt information about the attack.”
“There was no official CDU dinner on 1st March, the event was fictitious.”
As per Mandiant researchers, APT29, also known as Cozy Bear and BlueBravo, among other aliases, appears to be shifting its focus to target political parties, marking a departure from its conventional attacks on diplomatic figures.
“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.”
APT29 gained infamy in 2020 for its involvement in the SolarWinds attack, which granted the Russian intelligence agency access to sensitive internal material from various US government departments.
Neither the BSI nor Mandiant provided specifics regarding the identities of the targeted figures.
Dan Black of Mandiant said cyber-campaign is not solely directed at Germany but forms part of Russia’s broader strategy to erode European backing for Ukraine.
John Hultquist, the chief analyst at Mandiant, warned that the SVR has consistently been assigned the role of aiding Russia in comprehending and forecasting Western political dynamics.
“For an intelligence service, a political party may represent the earliest possible opportunity for insight,” he said.
“There is no reason to believe this activity is limited to any single party or country. The answers Russia is seeking are almost certainly spread across organisations, all of whom may be targeted for collection efforts. This targeting should be a concern for Germany, Europe, and even the United States.”
Germany’s active role in providing military support to Ukraine has undoubtedly heightened tensions between Berlin and Moscow, with Vladimir Putin previously acknowledging strained relations between the two nations.
Just days prior to the cyberattack revelation, a German soldier faced charges for allegedly passing classified information to Russian intelligence.
Earlier this month, Russian media released a wiretapped conversation wherein Bundeswehr officers were overheard discussing arms deliveries to Ukraine.
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
