Ukrainian security researchers have discovered a significant cyber-espionage campaign conducted by APT29 [2], also known as Cozy Bear or Nobelium [1] [2]. This campaign targeted various embassies and international institutions, including those in Azerbaijan, Greece [1] [2], Romania [1] [2], Italy [1] [2], the World Bank [1] [2], and the European Commission [1] [2]. The Ukrainian National Security and Defense Council (NDSC) suggests that the motive behind these attacks may be to gather intelligence on Azerbaijan’s military strategy [1] [2], particularly regarding the Nagorno-Karabakh conflict [1].
Description
The campaign began with a spear-phishing email that contained a malicious RAR attachment [1]. This attachment exploited a vulnerability (CVE-2023-3883) to execute arbitrary code [1]. The attackers utilized Ngrok to host their malicious payload server [1], making defense and attribution more challenging [1]. It is worth noting that this vulnerability has been previously exploited by the Russian Sednit APT group (APT28). The countries targeted in this campaign have significant political and economic ties with Azerbaijan [2].
Conclusion
The impact of this cyber-espionage campaign is significant, as it targeted key diplomatic and international institutions. Mitigating such attacks requires robust defense mechanisms and attribution capabilities. Additionally, the discovery of this campaign raises concerns about future implications and the need for enhanced cybersecurity measures.
References
[1] https://www.infosecurity-magazine.com/news/russias-apt29-embassies-ngrok/
[2] https://osintcorp.net/russias-apt29-targets-embassies-with-ngrok-and-winrar-exploit/
