Greetings from Moscow: The APT29 threat group based in Russia, which is also known as “Cozy Bear”, “Midnight Blizzard”, “Nobelium” or “The Dukes”, is said to have attacked important German politicians and parties with new malware. This emerges from an analysis by the IT security company Mandiant, which has been part of Google since 2022. The cyber attack was carried out via phishing emails sent at the end of February that allegedly invited people to a CDU dinner on March 1st. Links contained therein led victims to a compromised website. The executable program Rootsaw was initially hidden there, which acted as a so-called malware dropper and tried to install a backdoor called a wineloader.
Advertisement
“To participate in the event, please fill out a questionnaire and send it via email in the next few days,” the fraudulent email said in German, according to a screenshot Mandiant included in a blog post about the investigation . However, if you read more closely, you might stumble across some awkward wording. The dinner should be organized by a “regional representative office” of the party, which will “help at 7 p.m.” on the day of the event.
First, recipients were asked to fill out a questionnaire. Invitations should then be “sent at the appropriate time,” it said. The Rootsaw downloader, which was first made public in spring 2023, suddenly set the start time at 6:30 p.m. in a second message and specified the “business smart” dress code. Information about the location is “still being clarified.”
CDU dinner fictitious
It is not known how many invitees clicked on the dangerous links. The CDU confirmed to Spiegel that they had already received information about the incident. The occasion mentioned in the email is fictitious: “There was no official CDU dinner on March 1st.” According to Spiegel, the Office for the Protection of the Constitution and the BSI are already working on the case. The aim of the attacks was to steal data from infected computers.
According to Mandiant, the malware has characteristics of known APT29 malware families and suggests a common developer. According to Western observers, the group is controlled by the Russian foreign secret service SWR. APT has been linked to devastating cyber breaches at SolarWinds, HPE and Microsoft, among others. She is also said to be responsible for cyberattacks on Democratic Party servers before the 2016 US election, on Western ministries and embassies, and on corona vaccine development laboratories.
Warning of extensive Russian cyber operations
According to Mandiant, the Wineloader backdoor, which has only been on the radar of Western experts since January, is probably a variant of the Burntbatter, Muskybeat and Beatdrop malware families. Both have so far been assigned solely to APT29 in terms of how they attack systems and how they are protected against analysis. However, Wineloader is much easier to use, so that relevant malware operations are now “highly adaptable”.
The new malware was also said to have been used in campaigns against diplomatic units in the Czech Republic, India, Italy, Latvia and Peru at the end of January. In a case documented by Hackernews, links in PDFs were also used to lure visitors to websites with Wineloader. In the current case, the links were included directly in the emails.
Given Russia's geopolitical interests, the researchers assume a comprehensive threat to European and Western political parties, civil society organizations and companies. In addition to phishing, attackers could also try to circumvent cloud-based authentication mechanisms. The uncovered attack is “part of Russia's broader effort” to undermine European support for Ukraine, says Mandiant analyst Dan Black. His colleague John Hultquist sees “no reason to believe that these activities are limited to a particular party or country.” The SWR has always had the task of helping the Kremlin understand and predict Western politics.
(NO)