A series of sophisticated phishing campaigns targeting diplomatic and governmental organizations has been linked to a Russian-state sponsored hacking group known as APT29, or Cozy Bear. This threat actor has been active since January 17, 2022, employing a range of techniques that highlight their ongoing interest in gathering sensitive diplomatic and foreign policy information from around the globe.
The cybersecurity firm Mandiant has attributed these campaigns to APT29 and a subset of its activities identified as Nobelium, also referred to as UNC2452/2652. Their recent operations underscore a strategic focus on spear phishing, utilizing emails that masquerade as legitimate administrative notices. These emails leverage compromised accounts within diplomatic circles, thereby enhancing their credibility and likelihood of success.
Upon execution, these emails deliver a malicious HTML attachment known as ROOTSAW, which initiates a malware infection sequence aimed at deploying an additional payload dubbed BEATDROP. This loader, designed in C, facilitates communications with a remote command-and-control (C2) server by exploiting Atlassian’s Trello platform for data storage and retrieval of AES-encrypted shellcode payloads.
In conjunction with this, APT29 employs an additional tool named BOOMMIC, or VaporRage, to establish a persistent presence within the compromised networks. This tool allows them to escalate privileges and conduct extensive reconnaissance, enabling lateral movement across targeted environments.
A notable shift in operational tactics occurred in February 2022, when APT29 pivoted from using BEATDROP to a C++-based loader called BEACON, indicating their adaptability and ongoing evolution in tactics, techniques, and procedures (TTPs). BEACON is integrated within the Cobalt Strike framework, allowing for advanced functionalities such as arbitrary command execution, file transfers, and data exfiltration via screen capture and keylogging.
The merging of the UNC2452 cluster into APT29 represents a strategic assessment by Mandiant, highlighting this group’s capability for advanced operations while maintaining a low profile to evade detection. The high level of operational security that APT29 exhibits is particularly notable, as it allows them to conduct long-term intelligence operations with minimal exposure.
Previously, Nobelium gained notoriety for executing a supply chain compromise that affected SolarWinds, ultimately injecting malware into legitimate software updates. This incident serves as a testament to their methodical and disciplined approach to cyber operations, particularly their emphasis on stealth and persistence.
Recent reports from Microsoft corroborate Mandiant’s findings, indicating that Nobelium has been actively targeting IT firms with ties to government clients in NATO member states. This aligns with their historical focus on siphoning data from Western policy organizations and emphasizes the ongoing risk posed by state-sponsored threat actors.
As organizations continue to navigate the complexities of cybersecurity, the elucidation of tactics employed by groups like APT29 serves as a critical reminder of the sophisticated threats present today. Understanding these dynamics within the MITRE ATT&CK framework, including initial access, persistence, privilege escalation, and data exfiltration strategies, can equip business leaders with the knowledge necessary to bolster their defenses against such threats.
