Hey there, Bay area cybersecurity and healthcare friends! Let’s talk for a minute about a recent alarm raised by some cyber defenders over in Ukraine.
Picture this – Ukrainian researchers have been investigating a series of attacks on a bunch of European embassies and big international organizations. The twist? These guys are claiming that the culprits lie on the other side of the political landscape with Russia’s Foreign Intelligence Service, nicknamed APT29 or Cozy Bear, pulling the strings.
The targeted embassies included those of countries like Azerbaijan, Greece, Romania, and Italy. Even a Greek internet provider, Otenet, wasn’t spared. The shared thread here is that all the victims were somehow linked to Azerbaijan, either economically or politically. This surge of cyber attacks just so happened to coincide with the peak of Azerbaijan’s military action in Nagorno-Karabakh, an Armenian ethnic enclave. Coincidence? Our Ukrainian friends don’t seem to think so.
Just as interestingly, the Cozy Bear crew employed a few tactics we’ve seen before, with patterns resembling past attacks led by APT29. It seems likely the whole operation kicked off around September, and it didn’t stop at embassies either. The same kind of cyber trickery also targeted European governments in a hefty six-month espionage spree.
Now, step into the methodology with me here. More than 200 email addresses received phishing emails with a sneaky link to a PDF document and a supposedly harmful ZIP file. The catch? They were exploiting a flaw in a commonly used Windows archiving tool called WinRAR. The flaw had been patched in August, but some clever hackers found a way to continue to misuse it.
Here’s how – they could manipulate Windows into running malware by disguising it as a folder named the same as a harmless file. Picture an email landing in your inbox pretending to be about a great deal on a BMW… something we’ve seen these guys use as a decoy before.
The plot further thickens with the use of a tool called Ngrok. It’s basically a development tool that was twisted into a platform for covert hacking. Ngrok makes a local web server seem as though it’s on an ngrok.com subdomain – and this was used to host a command-and-control server, essentially helping to mask the cyber mischief.
As our Ukrainian cyber gurus concluded in their report, this presents a pretty grave reminder – cyber espionage is just another tool in the political toolbox, and it can reach far and wide across all sorts of sectors and regions. Our jobs as guardians at the cybersecurity gateways are clearly as essential as ever, folks. So, let’s keep our eyes open and defenses strong, alright?
by Morgan Phisher | HEAL Security
