A new cyber-espionage campaign by Russian actors APT29 [4], also known as Cozy Bear or Nobelium [4], has been uncovered by security researchers.


The group, believed to be part of Russia’s Foreign Intelligence Service (SVR) [4], historically targeted diplomatic entities but has recently shifted focus to conducting phishing campaigns against Western political parties [4]. In February 2024 [1] [4], APT29 targeted German political parties with emails spoofed to appear as if sent by the Christian Democratic Union (CDU) party [4], aiming to infiltrate networks and steal data [2] [5]. The emails contained malicious attachments delivering a new backdoor variant called “Wineloader,” consistent with other APT29 malware families [4]. This marks the first time this APT29 cluster has targeted political parties [3], indicating a shift in operational focus from diplomatic missions [3]. The campaign, which began in February 2024 [1] [4], has targeted political entities in Germany [1], as well as in other countries such as the Czech Republic [1], India [1], Italy [1], Latvia [1], and Peru [1]. APT29’s operations are highly adaptive and likely to target other Western political parties in the future [4], reflecting the SVR’s interest in geopolitical intelligence and its broader war effort, particularly in light of the ongoing conflict with Ukraine and Western Europe’s support for Ukraine [1]. Germany’s cybersecurity agency and Google’s Mandiant cyber unit detected the attack [2] [5], aimed at establishing long-term access and exfiltrating data [2] [5]. The alert did not specify the responsible party but mentioned state-backed cyber spies targeting German political parties ahead of the upcoming European elections [2]. The targeting aligns with Russia’s efforts to undermine European support for Ukraine [2], focusing on the conflict with Kyiv [2]. Germany [1] [2] [3] [4] [5], a supporter of Ukraine in its war with Russia [2], has strained relations with Moscow [2]. The incident occurred one year after Germany expelled 50 Russian diplomats to reduce Russian intelligence presence in the country [5].


The cyber-espionage campaign by APT29 targeting Western political parties, including those in Germany, highlights the evolving tactics of state-backed actors in the digital realm. The detection of such attacks underscores the importance of robust cybersecurity measures and international cooperation to mitigate threats. The ongoing conflict with Ukraine and geopolitical tensions in Europe suggest that similar attacks may continue in the future, emphasizing the need for vigilance and proactive defense strategies.


[1] https://www.techradar.com/pro/security/notorious-russian-hackers-target-government-officials-with-fake-dinner-party-invites
[2] https://www.aol.com/news/elite-russian-hackers-targeting-german-161818715.html
[3] https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties
[4] https://www.infosecurity-magazine.com/news/russian-cozy-bear-group-targets/
[5] https://finance.yahoo.com/news/1-elite-russian-hackers-targeting-164213971.html