Researchers observed APT29 using phishing emails in order to target German political parties with a new backdoor variant in late February.
The campaign marks the first time that APT29 - a threat group that various governments have linked to Russia’s Foreign Intelligence Service (SVR) and is known for being the group behind the SolarWinds attacks - has been found to target political parties, though it has previously targeted diplomatic missions. Researchers with Mandiant on Friday said the campaign could represent a future shift in operational focus for the group more broadly across Western country targets, especially given the SVR’s interest in better understanding Western political dynamics that relate to Ukraine and other foreign policy issues.
“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum,” said Luke Jenkins and Dan Black with Mandiant in an analysis of the attack.
The group’s phishing emails purported to be an invitation to a dinner reception in March and included a logo from a major German political party, the Christian Democratic Union (CDU). They contained a link that directed victims to a malicious ZIP file, which contained dropper malware that then delivered a second-stage lure document (which also included themes related to the CDU) and retrieved the new backdoor variant. Mandiant researchers track this backdoor as WineLoader.
The malware, which was first observed being used in January as part of a campaign targeting diplomatic entities across Czechia, Germany, India, Italy, Latvia and Peru, contains several features that overlap with other known malware families used by APT29, indicating that they have been created by a common developer, said researchers.
In this specific campaign, Mandiant researchers were not able to obtain commands from the threat actor for the malware, but Zscaler researchers reported that the malware included a command used for persistence, which resulted in a run key being configured on compromised devices.
“WINELOADER communicates using HTTP GET requests using a user agent contained within the resource,” said Jenkins and Black. “Each packet to the C2 server contains a random size registration packet, this packet contains environment information like the victim’s username/device name, the process name and some information that could be used by the actor to determine whether the compromised system is a valid target (parent process path, etc.). The response from the C2 server can task the WINELOADER to execute a new module (either within the same process, or via process injection) and to update the sleep timer.”
APT29, which has been tracked by Mandiant since 2014, has previously executed espionage and supply-chain attacks. The group’s victims in the past few months have included Microsoft and HPE. It has also relied on tactics like phishing and brute force mechanisms for initial access, so researchers pointed to recommendations previously put forth by the UK government’s National Cyber Security Centre based on this actor’s activities, including the use of MFA and strong, unique passwords. Regardless, the potential for a shift in targeting is something for governments to keep an eye on, particularly with elections scheduled this year in at least 64 countries.
“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests,” said Jenkins and Black.