[TheRecord] Russian cyberspies targeted the Slovak government for months

A Russian cyber-espionage group linked to one of Russia’s intelligence forces has targeted the Slovak government for months, Slovak security firms ESET and IstroSec said this week.

The attacks were attributed to a group known as the Dukes, Nobelium, or APT29, which cyber-security agencies from the US and other countries formally linked to the Russian Foreign Intelligence Service, also known as the SVR, earlier this year after its attack on software company SolarWinds.

ESET and IstroSec said SVR hackers recently orchestrated several spear-phishing campaigns between February and July 2021 that targeted Slovak officials.

SVR operators sent emails to Slovak diplomats posing as the Slovak National Security Authority (NBU). The documents, usually an ISO image file, would download and install a Cobalt Strike backdoor on infected systems.

In a recent talk at the Def Con security conference this year, IstroSec researchers described how they found the SVR command-and-control servers used in these attacks.

The IstroSec team said that some of the SVR C&C servers also hosted documents that appeared to have been aimed at Czech government officials as well.

ESET confirmed the attacks earlier today and said that they’ve also tracked the group’s recent campaign, which targeted diplomats in more than 13 European countries.

According to ESET, all the attacks appeared to follow the same tactic (email-> ISO disk image -> LNK shortcut file -> Cobalt Strike backdoor), a tactic that was also described in two reports earlier this year from Volexity and Microsoft. In some of these attacks, the Russian espionage group also relied on a Safari iOS zero-day to infect diplomats who read their emails on their iPhones.

Image: Microsoft

The post Russian cyberspies targeted the Slovak government for months appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] QNAP fixes critical bug in NAS backup, disaster recovery app

Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices’ security. […] Source: Read More (BleepingComputer)

Read More

[BleepingComputer] StackOverflow, Twitch, Reddit, others down in Fastly CDN outage

Major websites around the world are either completely down or not loading properly in a global outage. […] Source: Read More (BleepingComputer)

Read More

[HackerNews] Apache Warns of Zero-Day Exploit in the Wild — Patch You Web Servers Now!

All posts, HackerNews

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild. “A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.