The state-supported group behind the SolarWinds supply chain attack is going after diplomats using spear phishing to deploy a novel strain of malware.
Threat analysts at the cybersecurity firm Mandiant have uncovered a new APT29 cyber attack once again aimed at diplomats and government agencies.
APT29 is a cyber espionage group widely believed to be sponsored by the Russian Foreign Intelligence Service, the SVR. APT29 is also publicly referred to as Nobelium by Microsoft, Mandiant said. APT29 is the group responsible for the 2021 SolarWinds supply chain attack.
While Mandiant has been tracking APT29 phishing activities aimed at diplomats around the globe since early 2020, this year’s attackers are using two new malware families, BEATDROP, BEACON and BOOMMIC to carry out attacks. APT29 malware uses Atlassian’s popular Trello project management tool for command and control (C2), storing victim information and retrieving AES-encrypted shellcode payloads.
“For anyone involved in politics, it is critical to understand that they may be targeted due to information they have, or even just the contacts they may have,” said Erich Kron, security awareness advocate, at cybersecurity training firm KnowBe4. “In situations like embassies, which act as sovereign soil in foreign countries, and for the diplomats within them, the information about activities occurring within the region would be a gold mine for adversaries.”
To trick victims into downloading malware-laden files, APT29 sent spear-phishing emails disguised as embassy administrative updates, Manidant said in a blog post about the attacks. To get past spam filters, APT29 used legitimate email addresses from other diplomatic entities and targeted large publicly available lists of embassy personnel.
The emails used the malicious HTML dropper ROOTSAW (also known as EnvyScout) to deliver and decode IMG or ISO files, either of which can be written to disk and execute a malicious .DLL file that contains the BEATDROP downloader. APT29 also is using the BEACON downloader for similar purposes.
Once BEATDROP or BEACON open backdoors to the victim’s network, they quickly deploy BOOMMIC to gain deeper access into the victim’s environment. BOOMMIC (also called VaporRage by Microsoft), is a shellcode downloader that communicates using HTTP to a C2 server. Once activated, its main job is to download shellcode payloads into memory on a target machine, Mandiant said.
BEACON is a multi-purpose tool that also captures keystrokes and screenshots and can act as a proxy server. It may also harvest system credentials, conduct port scanning and enumerate systems on a network.
Once inside the network, attackers are able to escalate privileges and move laterally within hours using Kerberos tickets in Pass the Ticket attacks, exploiting misconfigured certificate templates to impersonate admins, and creating malicious certificates to escalate directly from low level privileges to domain admin status. Malicious certificates can also give the attacker long-term persistence with the victim’s environment. APT29 performs extensive reconnaissance of hosts and the Active Directory environment looking for credentials, Mandiant said.
“This campaign highlights the importance of implementing a culture of cybersecurity that goes beyond relying on first line preventative controls,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Controls like [network] segmentation, proactive system and application hardening, and restricting users’ access to only what’s necessary for their job functions make an attacker’s job much more difficult. In-depth monitoring for suspicious activities and threat hunting likewise increases the chances an attacker can be quickly detected and eradicated by the incident response team before widespread damage can be done.”