Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Standards, Regulations & Compliance

Russian Nation-State Hacker Targets German Political Parties

Latest APT29 Campaign Uses a Previously Unseen Malware Backdoor
Russian Nation-State Hacker Targets German Political Parties
Image: Shutterstock

A Russian hacking group is targeting German political parties as part of a Moscow-backed espionage campaign. The campaign marks the first time the group has been seen targeting political organizations, according to researchers at security firm Mandiant.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

In a report released on Friday, Mandiant attributed the campaign to the Russian group APT29, which is linked to the Russian Foreign Intelligence Service. The campaign has been active since late February and mainly uses phishing emails that appear to come from the German Christian Democratic Union, the report says.

"There is no bigger priority for Russia's intelligence services right now than monitoring changing Western political dynamics," said Dan Black, principal analyst at Mandiant, part of Google Cloud. "This latest targeting is not just about going after Germany or its politicians. It is part of Russia's wider effort aimed at finding ways to undermine European support for Ukraine."

The campaign begins with the hackers sending a phishing email that appears to come from the Christian Democratic Union of Germany, inviting the victims to a dinner reception. The emails contain a malware dropper called RootSaw disguised as a zip file attachment.

When the victim downloads the malicious file, the dropper loads a previously unseen malware backdoor called WineLoader, which performs a decryption function to call a shellcode. The malware then establishes communication with the command-and-control server to send information such as the victim's user and device names to help the attackers identify the victim.

Based on the WineLoader decryption file analysis, Mandiant researchers estimate threat actors may have repurposed the variant from the older MuskyBeat strain that they previously linked to a similar phishing campaign last year that targeted Ukrainian diplomats.

While the group has previously targeted European governments, foreign embassies and related diplomatic activities, Mandiant said the new campaign marked the first time the group has been seen targeting political parties - indicating a change in the attackers' tactics for future operations.

It is unclear if the latest attacks have resulted in the compromise of any parties or politicians. A week ago, someone leaked the personal information of 35,000 donors and newsletter subscribers for a newly created German political party called the BSW, but researchers did not connect the incident with the APT29 campaign.

Threat intelligence firms have warned that APT29, also known as Midnight Blizzard and the Dukes, has amplified its global cyberespionage operations as part of Moscow's ongoing war against Ukraine.

The group recently compromised the emails of top Microsoft executives for at least six weeks last year and exfiltrated source code repositories and internal systems of the company (see: Russian State Hackers Penetrated Microsoft Code Repositories).

Last month the Five Eyes intelligence alliance warned that the Russian group has now pivoted to target corporate cloud accounts, which typically lack multifactor authentication (see: Russian Threat Actor APT29 Pivots to the Cloud for Espionage).

The latest campaign in Germany comes amid heightened fears of a wider Russian conflict with European NATO countries to stem the military alliance's support for Ukraine.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.