Foreign diplomatic missions in NATO member states, the European Union, and Africa have recently come under cyber attack. The infamous APT29, also known as Cozy Bear, has been identified as the driving force behind these incursions.

The tactics employed in these attacks have been linked to Nobelium, a cluster tracked by Microsoft, which gained notoriety for the SolarWinds breach in 2020.

Cozy Bear’s evolving techniques in cyber espionage

The operations of Nobelium are believed to be orchestrated by Russia’s Foreign Intelligence Service (SVR). The latest campaign indicates that the hacking group is consistently refining its cyber arsenal to better infiltrate targeted systems for the purpose of intelligence gathering.

In a statement from the involved agencies, it was revealed that the actors were employing new tools either concurrently or to replace less effective ones. This allowed them to maintain a high operational tempo.

The initial stage of the attacks consists of spear-phishing emails masquerading as correspondence from European embassies. These emails seek to lure diplomats into opening malicious attachments disguised as invitations or meeting agendas. Concealed within these PDF attachments are harmful URLs that deploy an HTML dropper known as EnvyScout (or ROOTSAW). This dropper then delivers three previously unknown strains: SNOWYAMBER, HALFRIG, and QUARTERRIG.

SNOWYAMBER, also called GraphicalNeutrino by Recorded Future, uses the Notion note-taking service for command-and-control (C2) and downloads additional payloads, such as Brute Ratel. QUARTERRIG acts as a downloader, retrieving executables from attacker-controlled servers. Meanwhile, HALFRIG serves as a loader, launching the Cobalt Strike post-exploitation toolkit.

Recent disclosures support BlackBerry’s findings of a Nobelium campaign. This campaign targets European Union countries, especially those aiding Ukrainian refugees. These countries also provide support to the Ukrainian government.