NOBELIUM, also known as APT29, is a Russian state-sponsored threat actor targeting Western countries, specifically focusing on diplomatic entities and systems in the European Union. In a recent campaign, BlackBerry researchers observed the group targeting systems that transmit sensitive information about regional politics, aid to Ukrainian citizens, and support for the Ukrainian government.
APT29 is attributed to the Russian government's Foreign Intelligence Service (SVR), known for its stealthy, patient approach and innovative intrusion techniques. The group gained notoriety after the SolarWinds supply chain attack in December 2020. The new NOBELIUM campaign targets individuals interested in Poland's Ministry of Foreign Affairs and abuses LegisWrite, a secure document exchange system used within the EU.
The attack vector for this campaign is a targeted phishing email containing a weaponized document, leading to the download of an HTML file hosted on a compromised legitimate online library website. The malicious HTML file contains a version of NOBELIUM's dropper, known as ROOTSAW or EnvyScout. The malware uses Notion's API for command-and-control (C2) communication, masking its traffic as benign.
NOBELIUM's campaign appears to target Western countries, particularly those in Western Europe that provide support to Ukraine, using geopolitical events to increase the likelihood of successful infection. The group employs compromised legitimate network infrastructure and web servers to bypass basic network security mechanisms. However, an actionable threat intelligence model with countermeasure rules can help detect malicious traffic between internal networks and the threat actor's infrastructure.
###
Comments