A Russia-linked hacking group unleashed a new “advanced phishing campaign” targeting European diplomats with invites to fake wine tasting events, according to a report.
Check Point Research said the APT29 group is trying to “impersonate a major European Ministry of Foreign Affairs to send out invitations to wine tasting events, prompting targets to click a web link leading to the deployment of a new backdoor [malware] called GRAPELOADER.”
“This campaign appears to be focused on targeting European diplomatic entities, including non-European countries’ embassies located in Europe,” the cybersecurity firm said in an advisory, noting that the emails with malicious links included subject lines such as “Wine tasting event (update date),” “For Ambassador’s Calendar” and “Diplomatic dinner.”
The U.S. Cybersecurity and Infrastructure Security Agency said last year that APT29, which also goes by the names of Midnight Blizzard, the Dukes, or Cozy Bear, is “a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services.”
WINDOWS 10 SECURITY FLAWS LEAVE MILLIONS VULNERABLE
Check Point Research said Tuesday that APT29 is “known for targeting high-profile organizations, including government agencies and think tanks” and that “their operations vary from targeted phishing campaigns to high-profile supply chain attacks that utilize a large array of both custom and commercial malware.”
“Throughout the [new] campaign, the targets include multiple European countries with a specific focus on Ministries of Foreign Affairs, as well as other countries’ embassies in Europe. In addition to the emails we’ve identified, we found indications of limited targeting outside of Europe, including of diplomats based in the Middle East,” it also said.
Check Point Research said the phishing attacks started in January of this year.
“In cases where the initial attempt was unsuccessful, additional waves of emails were sent to increase the likelihood of getting the victim to click the link and compromise his machine,” it added.
“The server hosting the link is believed to be highly protected against scanning and automated analysis solutions, with the malicious download triggered only under certain conditions, such as specific times or geographic locations. When accessed directly, the link redirects to the official website of the impersonated Ministry of Foreign Affairs,” the firm continued.
It is unclear if any of the phishing attacks were successful.
