Kremlin-backed hackers blamed in recent phishing attempts on EU agencies

A Russian state-backed hacker group known as Nobelium is behind recent attempted cyberattacks on diplomatic entities and government agencies in the European Union, cybersecurity researchers say.

In a campaign identified in early March, the hackers sent phishing emails with content related to diplomatic relations between Poland and the U.S., according to a report by cybersecurity firm BlackBerry. The emphasis was on targeting entities that are “aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine,” the researchers said.

In particular, Nobelium — also commonly known as APT29 or Cozy Bear — sent phishing emails with the alleged 2023 schedule for the Polish ambassador to the U.S. The emails carried EnvyScout malware, which allows attackers to drop malicious files on a computer, BlackBerry said.

"The threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection," the researchers said.

Nobelium is a well-funded group controlled by the Russian Foreign Intelligence Service (SVR), which collects intelligence outside Russia, including electronic surveillance. The hackers have been linked to several high-profile incidents, including the SolarWinds supply chain attack in 2020, which affected thousands of organizations globally and led to a series of data breaches.

During the war in Ukraine, Nobelium has carried out cyberattacks against the Ukrainian military and its political parties, as well as international governments, think tanks and nonprofit organizations, according to Ukraine’s state security service.

Stealthy and patient

Apart from using the fake schedule of the ambassador to deceive victims, the hackers also developed bogus websites for LegisWrite and eTrustEx, which European Union nations use for secure data transfer and information exchange.

Nobelium may not have advanced phishing tactics, according to the researchers, but the hackers are agile and efficient once they gain access to a network. The main goal is to exfiltrate data, BlackBerry said.

The group’s operators are also known “to be stealthy, extremely patient, and skilled in utilizing innovative intrusion techniques that abuse Microsoft technologies and services,” the researchers said.

In previous campaigns, Nobelium hackers used compromised command-and-control communication servers hosted in the Microsoft Azure cloud infrastructure to make their malicious activity look legitimate.

This time, Russian hackers used the note-taking app Notion’s application programming interface (API) to communicate with a compromised system, according to BlackBerry. The group also used Notion during a campaign in November.