Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.
Also known as Cozy Bear, the Dukes, and Yttrium, APT29 is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack that led to hundreds of organizations getting breached.
Reports on APT29’s targeting of diplomatic entities – including the 2016 attacks against the Democratic National Committee (DNC) and a November 2018 attempt to infiltrate DNC – stretch for over half a decade, with some reports tracing the group’s activity as far back as 2013.
In attacks carried out in 2022, Mandiant’s security researchers, who have been tracking extensive APT29 phishing campaigns since early 2021, have observed the use of new malware families, along with a change in the group’s tooling to evade detection.
According to the researchers, who last week officially attributed the Solarwinds attacks to APT29, “the diplomatic-centric targeting of this recent activity is consistent with Russian strategic priorities as well as historic APT29 targeting.”
Mandiant has been tracking APT29’s new phishing campaigns against diplomatic and government entities since mid-January, and says that the observed emails – which masquerade as administrative notices – show close similarities with Nobelium phishing attacks analyzed in 2021.
The emails targeted a large number of recipients, likely “primarily publicly listed points of contact of embassy personnel.” The malicious messages carried the ROOTSAW HTML dropper, which would write an IMG or ISO file to disk.
The attacks employed new downloaders, which Mandiant tracks as BEATDROP and BOOMMIC, and misused legitimate services such as Atlassian’s Trello, Firebase, and Dropbox for command and control (C&C) functionality.
Written in C, BEATDROP uses Trello for C&C, and was typically used to deploy a malicious payload onto the compromised systems. In February 2022, the attackers switched from using BEATDROP for the delivery of Cobalt Strike Beacon via a third-party service to employing a novel C++ Beacon dropper.
Typically, within minutes after a successful BEATDROP deployment, BOOMMIC (also known as VaporRage) was used to establish a foothold within the network, achieve persistence, and fetch shellcode payloads and load them into memory.
After establishing access, the attackers were also observed attempting to escalate privileges, often gaining Domain Admin access less than 12 hours after initial compromise. APT29 would employ multiple techniques to escalate privileges, including exploiting misconfigured certificate templates to impersonate administrator users.
Next, the group would perform extensive reconnaissance – including searching hosts for credentials, such as passwords stored in SYSVOL – and move laterally within the environment, using Cobalt Strike Beacon and impersonating privileged users (via malicious certificates).
“Mandiant has observed the group widely using scheduled tasks, run keys, malicious certificates, and in-memory backdoors, in some cases multiple per system. The use of these techniques and tools represents the multiple means by which APT29 attempts to maintain access within an environment,” the researchers note.
The purpose of these attacks, Mandiant believes, is to establish “multiple means of long-term access” to target environments, and to collect diplomatic and foreign policy information from various government entities worldwide.