Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian Spies Lure Targets With NATO Cybersecurity Conference

A cyber espionage group linked to Russia has been trying to deliver malware to targeted individuals using documents referencing a NATO cybersecurity conference, Cisco’s Talos research team reported on Monday.

A cyber espionage group linked to Russia has been trying to deliver malware to targeted individuals using documents referencing a NATO cybersecurity conference, Cisco’s Talos research team reported on Monday.

The attack has been linked to the notorious threat actor known as APT28, Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium.

The campaign was apparently aimed at individuals interested in the CyCon U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber Institute at West Point on November 7-8 in Washington, D.C. The hackers created malicious documents with information that was copied from the official CyCon U.S. website.

The topic used as bait in this attack suggests that the threat actor targeted individuals with an interest in cyber security.

APT28 has been known to use zero-day exploits in its operations and, earlier this month, researchers noticed that the hackers had started leveraging a Flash Player vulnerability that Adobe had patched just two days prior. However, in the campaign analyzed by Cisco Talos, the attackers did not use any zero-days.

Instead, they relied on Office documents containing a VBA script. The goal was to deliver Seduploader, a piece of malware which has been used by the threat actor in other NATO-related attacks as well.

“In the previous campaign where adversaries used Office document exploits as an infection vector, the payload was executed in the Office word process. In this campaign, adversaries did not use any exploit. Instead, the payload is executed in standalone mode by rundll32.exe,” researchers explained.

Seduploader is a reconnaissance malware capable of capturing screenshots, collecting and exfiltrating information about the system, executing code, and downloading files. The variant used in these attacks is slightly different compared to previously known samples, which is likely an attempt to evade detection.

Advertisement. Scroll to continue reading.

The CCDCOE published an alert on its website on Monday to warn people interested in the CyCon conference about the attack.

“This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,” the organization said.

APT28 is not the only threat actor to use cyber security conferences as a lure in their operations. Last year, Palo Alto Networks reported that a China-linked espionage group known as Lotus Blossom, Elise and Esile had used fake invitations to the company’s Cybersecurity Summit to trick users into installing malware.

Related: Attribution Hell – Cyberspies Hacking Other Cyberspies

Related: Russian Cyberspies Target Hotels in Europe

Related: Tech Firms Target Domains Used by Russia-linked Threat Group

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.