As reported this week by the Slovak security firms ESET and IstroSec, a group of Russian cyber espionage spies associated with the country’s intelligence services has been targeting and attacking the Slovak government for many months already.
Cybersecurity agencies from the US and some other countries have linked the attacks from Dukes, Nobelium, or APT29. Previously, they have also attributed an attack from a Russian Foreign Intelligence Service or SVR as it has attacked a software company called SolarWinds earlier this year.
The Slovak security firms ESET and IstroSec have also reported that the attackers from SVR have recently scheming different spear-phishing activities against Slovak officials wherein they send messages or emails to their targets enclosing suspicious links to redirect victims into some malware-infected websites. This reported incident has happened in the middle of February and July 2021.
To add more details about how the SVR operators do the spear-phishing activity, they initially send the infected emails towards Slovak diplomats impersonating the Slovak National Security Authority or NBU. Attached to the email are documents typically in an ISO image file, wherein it would automatically download and then install the Cobalt Strike backdoor, which sends out beacons to detect network exposures on infested systems.
The IstroSec researchers have also illustrated how they discovered the SVR command-and-control servers (C2) have operated in these attacks, coming from a recent interview at the Def Con security conference. The team has stated that there have been documents hosted by the SVR C2 servers, intentionally intended for the Czech government administrators.
Eventually, the ESET security firm has confirmed and validated the cyber espionage attacks that occurred earlier today and reported that they have begun to track and pursue the attackers’ latest activities and campaigns.
Additionally, these campaigns are said to target diplomats from about 13 European countries as well.
Also, ESET has added that the further attacks seem to follow the tactic trail that has been done by the group of Russian cyberspies wherein they send emails attaching the ISO disk image with an LNK shortcut file and then launches the Cobalt Strike backdoor. This kind of attack has also been reported to happen against Volexity and Microsoft this year.
