Poland expressed that a state-backed hazard group connected to Russia's military intelligence service (GRU) has been targeting Polish country organizations throughout the week. According to proof discovered by CSIRT MON, the government's Computer Security Incident Response Team (shown by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency reaction team), Russian APT28 state cyberpunks shot numerous government organizations in a large-scale phishing movement.
The phishing emails tried fooling the recipients into relating an embedded link that would supply them with access to more details concerning a "mysterious Ukrainian lady" peddling "used underwear" to "old authorities in Poland and Ukraine." Once clicked, the link diverted them through numerous websites before landing on a page that downloaded a ZIP library. The archive included a nasty executable camouflaged as a JPG image file and two secret files: a DLL and a .BAT script.
If the target opens the hidden executable file, it loads the DLL via DLL side loading, which drives the secret script. The script shows a picture of a lady in a swimsuit in the Microsoft Edge browser as a distraction while simultaneously downloading a CMD file and modifying its attachment to JPG. "The script we eventually acquired contains only data about the computer (IP address and checklist of files in specified folders) on which they were established and then transmits them to the C2 server. Likely computers of the victims picked by the assaulters receive a separate set of endpoint scripts," CERT Polska expressed.
The tactics and infrastructure utilized in these attacks are similar to those used in another highly targeted campaign in which APT28 investigators used Israel-Hamas war tactics to backdoor devices of administrators from 13 countries, including United Nations Human Rights Council associates, with Headlace malware.
Since it appeared in the mid-2000s, the Russian state-backed hacking group has corresponded to many high-profile cyber-attacks and was connected to GRU's Military Unit 26165 in 2018. APT28 cyberpunks were after hacks of the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC) before the 2016 U.S. Presidential Election and the violation of the German Federal Parliament (Deutscher Bundestag) in 2015.
The United States assessed numerous APT28 associates for their involvement in the DNC and DCCC attacks in July 2018, while the Council of the European Union approved APT28 in October 2020 for the Bundestag hack. One week back, NATO and the European Union, with multinational associates, also formally charged a long-term APT28 cyber intelligence campaign against numerous European nations, including Germany and Czechia.
Germany said the Russian hazard group compromised multiple email funds belonging to associates of the Social Democratic Party's administrative board. The Czech Ministry of Foreign Affairs also announced that APT28 targeted some Czech organizations in the exact Outlook campaign in 2023. The assaulters manipulated the CVE-2023-23397 Microsoft Outlook exposure in the attack, a safety spot used as a zero-day to target NATO fellows in Europe, Ukrainian nation mechanisms, and NATO rapid response company beginning in April 2022.
"We call on Russia to prevent this negative movement and stay by its global responsibilities and duties. With the EU and our NATO Allies, we will resume taking steps to disrupt Russia's cyber actions, defend our residents and alien supporters, and maintain hostile actors responsible," the U.S. State Department declared in a message.