Kremlin-backed hackers blamed in spying campaign on EU and NATO diplomatic agencies

Russian state-affiliated hackers have launched a spying campaign targeting foreign ministries and diplomatic entities in NATO countries, the European Union, and, “to a lesser extent,” Africa, Poland’s top cybersecurity agency said.

The campaign is linked to the Kremlin-backed hacking group Nobelium, also known as APT29 or BlueBravo, CERT.PL said in a report published Thursday with the country's Military Counterintelligence Service.

Nobelium is responsible for several high-profile incidents, including the SolarWinds supply chain attack in 2020 that affected thousands of organizations globally and led to a series of data breaches.

During the war in Ukraine, Nobelium has carried out cyberattacks against the Ukrainian military and its political parties, as well as international governments, think tanks and nonprofit organizations.

New espionage campaign

In the latest campaign, the Russia-affiliated spies sent phishing emails impersonating the embassies of European countries to specific personnel, usually including a malicious link either in the body of the message or an attached PDF inviting the target diplomat to access the ambassador's calendar.

The link led to a compromised website that contained the hackers’ signature script EnvyScout, which allowed them to drop malicious files on a targeted computer.

The hackers went to great lengths to try to remain undetected until their victim downloaded an infected file. For example, they used JavaScript to decode the infected file when the webpage is opened. Then, they displayed a message on the website to trick the victim into thinking they downloaded the right file.

In its previous attacks, Nobelium has mostly used .zip or .iso files to deliver the malware. In a recent attack, the group also used .img files. When users open .iso or .img files on a Windows computer, they show up like regular files and the computer doesn't warn users that they downloaded these files from the internet — this makes it easier for the malware to spread, the report said.

Although Nobelium is closely tracked by researchers, CERT.PL said the hackers employed tools and software that hadn’t been previously reported on.

SnowyAmber malware was first used in October 2022, abusing the Notion note-taking web application service to communicate and download further malicious files. The hackers modified it for the new campaign to make it more difficult to detect and analyze.

Halfrig malware, used for the first time in February 2023, contains the CobaltStrike payload and runs it automatically. It shares code similarities with another novel tool used during this campaign – Quarterrig.

Some elements of the attack have been used by Nobelium in previous campaigns. According to the report, the group prefers to use vulnerable websites belonging to random entities.

Additionally, many of the emails that were obtained and used in this campaign bear resemblance to ones detected in earlier attacks, where the hackers sent phishing emails containing information about diplomatic ties between Poland and the U.S. as well as the Israeli embassy.

Nobelium’s operations have been previously attributed to Russia’s Foreign Intelligence Service (SVR), an organization responsible for foreign espionage, active measures, and electronic surveillance, according to research from Recorded Future. The Record is an editorially independent unit of Recorded Future.

Russian hacking groups, including Sandworm, Gamaredon and InvisiMole, often conduct cyber espionage operations to help plan Moscow’s war efforts. In March, Poland dismantled a Russian espionage network that had been covertly filming transport infrastructure used for aid delivery to Ukraine. In January, Slovenia arrested two individuals accused of spying for Russia, and Austria expelled four Russian diplomats for engaging in activities deemed inappropriate for their diplomatic status.

On Thursday, Norway expelled more than a dozen Russian spies who had been operating in the country under diplomatic guise.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.