In accordance with the Polish CERT and Military Counterintelligence Service, an ongoing cyberespionage effort linked to a Russian nation-state entity is targeting European government agencies and diplomats in order to collect Western government intelligence on the Ukraine war.
According to a Thursday advisory from the two federal agencies, a campaign linked to the Russian
APT organization Nobelium is targeting government agencies and diplomats involved with NATO and the European Union, as well as African states to a lesser extent.
Per the Polish authorities, the hackers are targeting victims using spear-phishing emails that look to be from European embassies, inviting them to a meeting or event at one of the embassies.
The emails comprise malicious documents masquerading as calendar invites or meeting agendas. When victims open these files, they are sent to a hijacked website hosting a trademark Nobelium malware dropper dubbed EnvyScout, which sends malicious .img or .iso files to the victim's machine.
Nobelium previously employed malware concealed in.zip or.iso files, but in the latest operation, hackers load additionally .img files that lack the Mark of the Web feature, a security mechanism designed to prevent people from downloading harmful files. The spyware launches without informing system users.
Once executed, the malware loads additional tools previously connected with Nobelium, such as the command-and-control tool SnowyAmber and the malware downloader QuarterRig, which then exfiltrate the victim's IP address and other system information.
In accordance to the Polish CERT, hackers analyse this information to identify possible targets and evaluate whether they have turned on any antivirus or malware detection tools.
The Polish CERT stated that, in addition to European government institutions and personnel, European nongovernmental companies are also vulnerable to a Nobelium hack. The agency suggests limiting disc file mounting capabilities and enabling software constraints to prevent unprompted file execution to safeguard against hacking.
According to a recent BlackBerry Research and Intelligence report, the campaign has been active since early March and targets victims with outdated network equipment. BlackBerry believes the effort was likely begun by Russian hackers during the February visit of Polish Ambassador Marek Magierowski to the United States.
"We believe the target of Nobelium's campaign is Western countries, especially those in Western Europe, which provide help to Ukraine," BlackBerry researchers wrote.
Nobelium, also known as APT29 and CozyBear, is one of a few Russian cyber-operations groups working against Ukraine and its allies. Researchers suspect the group was also responsible for the SolarWinds supply chain hack, which was detected in December 2020.
