Russian APT28 hackers target 13 countries in ongoing cyber espionage campaign

Russian APT28 Hackers

The Russian nation-state threat actor known as APT28 Lures related to the ongoing war between Israel and Hamas have been observed to be used to facilitate the delivery of a custom backdoor called HeadLace.


“The newly discovered campaign targets targets in at least thirteen countries around the world and uses authentic documents created by academic, financial and diplomatic centers,” said security researchers Golo Mühr, Claire Zaboeva and Joe Fasulo. said.

ITG05’s infrastructure ensures that only targets from one specific country can receive the malware, indicating the highly targeted nature of the campaign.

Campaign targets include Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania.

The campaign uses decoys aimed primarily at identifying European entities with a “direct influence on the allocation of humanitarian aid”, using documents linked to the United Nations, the Bank of Israel, the US Congressional Research Service, the European Parliament, a Ukrainian think tank and an intergovernmental commission between Azerbaijan and Belarus.

Some attacks have been found to use RAR archives, taking advantage of the WinRAR flaw named CVE-2023-38831 to spread HeadLace, a backdoor first exposed by the Computer Emergency Response Team of Ukraine (CERT -UA) in attacks targeting critical infrastructure. in the country.

Russian APT28 hackers

It’s worth noting that Zscaler unveiled a similar campaign in late September 2023, called Steal-It, which enticed targets with adult-themed content to trick them into parting with sensitive information.

The reliance on official documents as a lure therefore marks a departure from previously observed activities,” an indication of ITG05’s increased emphasis on a unique audience whose interests would drive interaction with materials that influence the development of emerging policies. ”

The disclosure comes a week after Microsoft, Palo Alto Networks Unit 42, and Proofpoint detailed the threat actor’s exploitation of a critical security flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims’ accounts within the network. Exchange servers.

“It is highly likely that compromise by any echelon of global foreign policy centers could advance the interests of officials with advanced insight into the critical dynamics surrounding the International Community’s (IC) approach to competing security and humanitarian aid,” the researchers said.

The development also follows new advice in which CERT-UA linked the threat actor known as UAC-0050 for a large-scale email-based phishing attack against Ukraine and Poland using Remcos RAT and Meduza Stealer.


#Russian #APT28 #hackers #target #countries #ongoing #cyber #espionage #campaign

Notify of
Inline Feedbacks
View all comments
Previous Post

Fixed 33 bugs, including 4 critical ones

Next Post
Non-Human Access

Nonhuman Access is the Path of Least Resistance: A 2023 Summary

Related Posts