Threat Research

Espionage campaign linked to Russian intelligence services – Baza wiedzy – Portal Gov.pl

Securonix

Polish authorities describe a broad espionage campaign tied to Russian intelligence, aimed at foreign ministries and diplomatic entities, with activity overlapping prior operations such as Nobelium/APT29 and SolarWinds. The campaign uses new tools alongside known ones, employs HTML smuggling and DLL sideloading, and relies on spear-phishing to deliver its payload.

Keypoints

  • A widespread espionage campaign is linked to Russian intelligence and targets diplomatic entities, primarily in NATO/EU states.
  • Elements overlap with prior activity described as NOBELIUM and APT29, including tools like SUNBURST, ENVYSCOUT, and BOOMBOX, while new tools were introduced.
  • The campaign uses spear-phishing emails impersonating European embassy contacts to lure victims.

MITRE Techniques

  • [T1566.002] Spearphishing Link – Emails impersonating embassies with a link to a site containing the ENVYSCOUT payload. Quote: “The actor utilised spear phishing techniques… a link was included purportedly directing to the ambassador’s calendar, meeting details or a downloadable file.”
  • [T1189] Drive-by Compromise – HTML Smuggling delivering a malicious file decoded by JavaScript from a compromised web page. Quote: “It utilizes the HTML Smuggling technique – whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim’s device.”
  • [T1574.001] DLL Side-Loading / DLL Hijacking – Loading and executing code from a hidden DLL via a signed executable in the same directory. Quote: “The DLL Sideloading technique was also observed, using a signed executable file to load and execute code contained in a hidden DLL library by placing it in the same directory, under a name chosen according to the entries in the import table.”
  • [T1105] Ingress Tool Transfer – Downloaders used to fetch and start payloads like COBALT STRIKE or BRUTE RATEL. Quote: “SNOWYAMBER – a tool first used… to communicate and download further malicious files.” / “The SNOWYAMBER and QUARTERRIG tools were used as so-called downloaders. Both tools sent the IP address as well as the computer and user name to the actor.”
  • [T1105] Ingress Tool Transfer – Downloader tools used to deliver and start up commercial tools. Quote: “used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL.”

Indicators of Compromise

  • [Tool/Software] ENVYSCOUT – used as the actor’s signature script and a delivery payload. Example: ENVYSCOUT is the main tool referenced in the HTML Smuggling campaign.
  • [Tool/Software] SNOWYAMBER – downloader tool first used Oct 2022 to communicate and download further files. Example: SNOWYAMBER used as a downloader to fetch payloads.
  • [Tool/Software] HALFRIG – loader tool that incorporates COBALT STRIKE payload. Example: HALFRIG runs the COBALT STRIKE payload automatically.
  • [Tool/Software] QUARTERRIG – downloader tool, sharing code with HALFRIG. Example: QUARTERRIG observed in multiple versions.
  • [Tool/Software] COBALT STRIKE – payload framework delivered by the campaign. Example: used as a tool after downloaders verify target.
  • [Tool/Software] BRUTE RATEL – payload framework delivered by the campaign. Example: used as a tool after downloader verification.
  • [File format] ISO and IMG disk images – delivery formats used to present/install malware. Example: ISO, IMG files used in addition to ZIP/ISO in prior campaigns.

Read more: https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services