Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Abuse EU Information Exchange Systems in Government Attacks

Russia-linked APT29 was seen abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.

Russia-linked cyberespionage group APT29 has been observed abusing two legitimate information exchange systems used by European countries, BlackBerry reports.

APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyberespionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium.

As part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister’s recent visit to the US as a lure.

Another lure, BlackBerry says, abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries.

“LegisWrite is an editing program that allows secure document creation, revision, and exchange between governments within the European Union. The fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union,” BlackBerry notes.

The malicious document includes a link leading to a HTML file hosted on a compromised online library website based in El Salvador. The file is APT29’s malicious dropper named RootSaw and EnvyScout, which relies on HTML smuggling to deploy an IMG or ISO file on the victim’s system.

In this campaign, an ISO file was dropped from the compromised domain. The image contains two files, a link (.lnk) file to run specified command line arguments, and a DLL library.

When run, the DLL achieves persistence via a newly created registry key and proceeds to collect information about the target system and send it to its command-and-control (C&C) server.

APT29 abuses the API of a commonly used note-taking application called Notion for C&C, which allows it to disguise its traffic as benign. In previous campaigns, the cyberespionage group was abusing the Trello API for C&C.

According to BlackBerry, the APT removed all metadata from the link file, to avoid leaking any information related to its operations systems.

“Based on the current geopolitical situation involving Russia’s invasion of Ukraine, the visit of Poland’s Ambassador to the United States and his talk about the war, and the abuse of the online system used to exchange documents inside the European Union, we believe the target of Nobelium’s campaign is Western countries, especially those in Western Europe, which provide help to Ukraine,” BlackBerry notes.

Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks

Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...