CISO Brief: NOBELIUM Targets EU Governments Assisting Ukraine
NOBELIUM, aka APT29, is a sophisticated, Russian state-sponsored threat actor targeting Western countries. At the beginning of March, BlackBerry researchers observed a new campaign targeting European Union countries; specifically, its diplomatic entities and systems transmitting sensitive information about the region's politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.
The new NOBELIUM campaign BlackBerry observed creates lures targeted at those with interest in the Ministry of Foreign Affairs of Poland’s recent visit to the U.S., and abuses the legitimate electronic system for official document exchange in the EU called LegisWrite.
NOBELIUM is an advanced persistent threat group also known as APT29, which is publicly attributed to the Russian government and specifically to the Foreign Intelligence Service of the Russian Federation (SVR), an organization responsible for collecting intelligence outside Russia.
APT29 made international news headlines back in December 2020, when a high-level supply chain attack Trojanized a software update to SolarWinds Orien software. The compromise affected thousands of users, distributing a backdoor dubbed SunBurst.
NOBELIUM is also known as Cozy Bear and The Dukes. NOBELIUM has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers.
The infection vector for this campaign is a targeted phishing email containing a weaponized document. The malicious document includes a link leading to the download of an HTML file.
The weaponized URLs shown above are hosted on a legitimate online library website based in El Salvador, Central America. We believe that the threat actor compromised this website sometime between the end of January 2023 and the beginning of February.
One of the lures appeals to those who want to find out the Poland Ambassador’s schedule for 2023. It overlaps with Ambassador Marek Magierowski's recent visit to the U.S., specifically, his talk on February 2, where he discussed the war in Ukraine at the Catholic University of America Columbus School of Law, also known as the Catholic Law, based in Washington, DC.
Another lure we found abuses multiple legitimate systems, including LegisWrite and eTrustEx, which the EU nations use for information exchange and secure data transfer. LegisWrite is an editing program that allows secure document exchange between governments within the EU.
The fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union. Further analysis of the malicious HTML file reveals it to be a version of NOBELIUM’s malicious dropper tracked as ROOTSAW, also known as EnvyScout.
Ultimately, a file called “BugSplatRc64.dll” is dropped, which aims to collect and exfiltrate information about the infected system. That includes data such as the owner’s username and IP address. This data is then used to create the victim’s unique identifier, which it then sends to the command-and-control (C2) server.
This campaign's malware delivery is based on the use of legacy network infrastructure that has been compromised by APT29. Using a compromised legitimate server to host the packed malware payload increases the chances of a successful installation on the victims’ machines.
The packed malware utilizes "api.notion.com" for its C2 communication. "Notion" is a commonly used legitimate note-taking application. By abusing Notion’s application programming interface (API) for C2, the threat group are giving their traffic a benign guise.
NOBELIUM has a history of utilizing compromised servers to make their malicious C2’s look legitimate. Notion was also used during their November 2022 campaign, further aligning this campaign’s tactics, techniques and procedures (TTPs) with APT29.
Based on the current geopolitical situation involving Russia’s invasion of Ukraine; the visit of Poland's Ambassador to the United States and his talk about the war; and the abuse of the online system used to exchange documents inside the European Union, we believe the target of NOBELIUM’s campaign is Western countries, especially those in Western Europe, which aid Ukraine.
NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland's Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.
Furthermore, our initial analysis of weaponized LNK files used in this campaign shows that the threat actor used anti-forensic techniques to wipe out personal metadata to remove information connected to its operations systems.
Using compromised legitimate network infrastructure and a legitimate web server increases NOBELIUM’s technical capabilities to bypass basic network security mechanisms. However, an actionable Threat Intelligence model with counter-measure rules such as Suricata, will help to detect malicious traffic from the internal network to the threat actor’s network infrastructure.
Read the full technical report on this NOBELIUM campaign, including MITRE ATT&CK® information, attack flow, indicators of compromise (IoCs), and applied countermeasures including Yara Rules, by clicking here.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry blog.
About The BlackBerry Research & Intelligence Team
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.