PDF lures aimed at NATO countries contain a Russian clue

The latest attempts by hackers to spy on government agencies in NATO countries include a variant of the Russia-linked Duke malware, according to new research.

A recent campaign targeted the foreign ministries of NATO-aligned governments with two malicious PDF files, according to a report from Dutch cybersecurity firm EclecticIQ.

One of the PDFs delivered a variant of Duke, malware that has been linked to Russian state-sponsored cyber-espionage activities of APT29, also known as Nobelium, Cozy Bear and The Dukes.

The other file was likely used for testing or reconnaissance, as it did not contain a payload but did notify the threat actor if a victim opened the email attachment.

The PDFs, camouflaged as diplomatic invitations from a German embassy, appear to be part of a wider campaign targeting diplomatic corps across the globe, the researchers said. The report does not directly attribute the German embassy lures to APT29, but does note some details in the operation that other researchers have spotted in that group’s campaigns.

The email address in the malicious PDF refers to a genuine web domain, bahamas.gov.bs. In a report from mid-July, cybersecurity firm Lab52 noticed that this same domain was used by hackers impersonating the Norwegian embassy to target diplomatic entities with invitation lures.

The EclecticIQ researchers have "high confidence" that the PDF files pretending to be from the German embassy were likely produced by the same threat actor.

Moscow's cyber espionage in Europe has escalated since the start of the war in Ukraine. The countries closest to Kyiv, like Poland, Lithuania, and Latvia, are experiencing the greatest impact.

APT29 is known for exploiting legitimate web services, like Microsoft OneDrive and Notion, for malware command and control (C2). In this recent campaign, the attackers used the Zulip app for C2, according to EclecticIQ.

Zulip is an open-source chat application that uses Amazon Web Services to receive and send chat messages. The hackers used its API features to evade and hide its activities behind legitimate web traffic.

APT29 is thought to be directed by Russia's Foreign Intelligence Service (SVR), which gathers political and economic information from other countries.

The hacking group’s primary targets are governments, political organizations, research firms, and critical industries such as energy, healthcare, education, finance and technology in the U.S. and Europe.

During the war in Ukraine, APT29 has carried out cyberattacks against the Ukrainian military and its political parties, as well as diplomatic agencies, think tanks and nonprofit organizations.