Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Poland provides more details of APT28 government attacks

Poland has called out Russian state-sponsored hackers, claiming that they targeted a number of government networks in a major phishing campaign.

user icon Daniel Croft
Fri, 10 May 2024
Poland provides more details of APT28 government attacks
expand image

According to the Polish state-run National Research Institute (NASK), the Russian threat group APT28, which is connected with the GRU, Russia’s military intelligence agency, launched attacks on a number of Polish government institutions.

Earlier this week, Poland first announced that it had been targeted by APT28, and it expressed its support for Germany and the Czech Republic, which also called out the threat group.

“Poland, which is also one of the targets of the APT28 attacks, strongly condemns the repeated, unacceptable and harmful activities carried out in cyber space by Russian entities,” Poland said in a statement.

============
============

“Facing the continuous increase in threats in cyber space, Poland is actively working to protect critical infrastructure, build resilience and strengthen cyber defence.”

However, until now, Poland has not provided details of the attack.

While its latest comments don’t confirm that this is indeed the same attack, particularly as the attacks on Germany and the Czech Republic were from years ago, Poland’s NASK has said that APT28 attempted to distribute malware on Polish government networks this week.

“Malware targeting Polish government institutions was distributed this week by the APT28 group, associated with Russia's intelligence services,” NASK said in a statement.

“Technical indicators and similarities to past attacks allowed the identification of the APT28 group ... This group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”

Other reports from the Polish Computer Security Incident Response Team (CSIRT MON) and the Polish computer emergency response team (CERT Polska) said malware was delivered through phishing emails that promised additional information on a “Mysterious Ukranian woman” who sells “used underwear” to “senior authorities in Poland and Ukraine”, as reported by BleepingComputer.

Recipients of the email who clicked the link were redirected through a number of sites before downloading a ZIP archive disguised as a JPG image.

Within the archive is a DLL and a .BAT script, which run if the file is opened. An image of a photo in a bathing suit is displayed on Microsoft Edge to distract the recipient while the file runs.

CERT Polska said the run script collects information about the computer, such as a list of files from select files and IP addresses, which are then sent to a C2 server.

“Probably, computers of the victims selected by the attackers receive a different set of the endpoint scripts,” CERT Polska said.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.