"Russian Cyberspies Abuse EU Information Exchange Systems in Government Attacks"
Security researchers at BlackBerry have observed Russia-linked cyberespionage group APT29 abusing two legitimate information exchange systems used by European countries. APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyber espionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium. The researchers stated that as part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister’s recent visit to the US as a lure. Another lure abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries. The researchers noted that LegisWrite is an editing program that allows secure document creation, revision, and exchange between governments within the European Union. The researchers stated that the fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union. The malicious document includes a link leading to an HTML file hosted on a compromised online library website based in El Salvador. The file is APT29’s malicious dropper named RootSaw and EnvyScout, which relies on HTML smuggling to deploy an IMG or ISO file on the victim’s system. The researchers noted that in this campaign, an ISO file was dropped from the compromised domain. The image contains two files, a link (.lnk) file to run specified command line arguments and a DLL library. When run, the DLL achieves persistence via a newly created registry key and proceeds to collect information about the target system and send it to its command-and-control (C&C) server. The researchers noted that APT29 abuses the API of a commonly used note-taking application called Notion for C&C, which allows it to disguise its traffic as benign. According to BlackBerry, the APT removed all metadata from the link file to avoid leaking any information related to its operations systems.