Notorious hacking group Cozy Bear tried to trick European diplomats into downloading malicious software, cybersecurity firm finds.
BRUSSELS — Russian hackers sure know their target audience.
A hacking group previously linked to Russian intelligence services has in past months targeted European diplomats with invitations to fake wine-tasting events from a European foreign affairs ministry, new research released Tuesday showed.
Cybersecurity firm Check Point said the Russia-linked group known as Cozy Bear had targeted European diplomatic entities with emails bearing subject lines like “Wine Testing [sic] Event” and “Diplomatic Dinner.” The emails contained malicious software to compromise victims’ security.
Cozy Bear is one of Russia’s most notorious hacking groups. It is believed to have conducted major hacks like the intrusion into the United States Democratic National Committee in the run-up to the 2016 presidential election, as well as the recent massive hack of software firm SolarWinds, described as the largest attack ever.
Western security services have previously linked Cozy Bear, also known as APT29 and Midnight Blizzard, to Russia’s SVR foreign intelligence service.
The hackers behind the new campaign posed as a « major » European foreign affairs ministry, sending the fake invitations to targets, particularly foreign ministries, as well as to the embassies of non-EU countries located in Europe.
Rather than being steered to a full-bodied red or a crisp white, diplomats who opened the attachment in the emails would inadvertently download the malicious software.
Check Point has been tracking the campaign since January. Sergey Shykevich, a researcher at the firm, declined to say which foreign affairs ministry the hackers had impersonated, saying only that it was « one of the big ones » in the European Union.
Commenting on the choice of wine as a lure, Shykevich said: « Someone on the attacker side had a good idea. »
Shykevich added that Check Point had not established whether the hacking attempts were successful. The firm said in its research that it had found indications that diplomats in the Middle East were also targeted.
Two European diplomats told POLITICO they regularly get warnings about phishing attempts, but haven’t received one about this specific campaign.
The attack is an updated version of a similar campaign previously identified by Google.
