Image courtesy: The Record by Recorded Future
Slovak security firms ESET and IstroSec reported this week that a Russian cyber-espionage organisation affiliated to one of Russia’s intelligence agencies has been targeting the Slovak government for months.
The assaults were ascribed to a group known as the Dukes, Nobelium, or APT29, which was formally connected to the Russian Foreign Intelligence Service, commonly known as the SVR, earlier this year after an attack on software business SolarWinds by cyber-security authorities from the US and other nations.
SVR agents impersonating the Slovak National Security Authority sent emails to Slovak ambassadors (NBU). On infected PCs, the documents, which are generally ISO image files, would download and install a Cobalt Strike backdoor.
IstroSec researchers detailed how they discovered the SVR command-and-control servers used in these assaults in a recent session at the Def Con security conference this year. Some of the SVR C&C sites, according to the IstroSec team, also stored papers that looked to be directed at Czech government officials. ESET verified the assaults earlier today, as well as the group’s recent campaign, which targeted diplomats in over 13 European nations.
According to ESET, all of the assaults appeared to use the identical method (email-> ISO disc image-> LNK shortcut file-> Cobalt Strike backdoor), which was previously detailed in two reports from Volexity and Microsoft earlier this year. The Russian spy outfit also used a Safari iOS zero-day to infect diplomats who viewed their emails on their iPhones in some of these attacks.