A recent cyber-espionage campaign by the Russian state-sponsored hackers called Cozy Bear APT targeted embassies and international organisations.
According to the Ukrainian National Cyber Security Coordination Center (NCSCC), the Cozy Bear attacks have ties to Russia’s Foreign Intelligence Service (SVR), which is why they are notorious for conducting intelligence-gathering campaigns to acquire political and economic information globally.
A couple of months ago, the campaign aimed primarily at breaching embassy entities across various countries, such as Azerbaijan, Greece, Romania, and Italy. Among the victims was Otenet, a Greek internet provider.
In addition, these attacks have also impacted the diplomatic accounts, especially those associated with the foreign affairs ministries in Azerbaijan and Italy. These campaigns indicate that these attackers have a potential interest in gathering strategic information, mainly related to the Azerbaijani invasion of the Nagorno-Karabakh region.
The Cozy Bear APT have been employing the same tactic for every attack.
Cozy Bear APT has employed tactics and tools similar to their previous campaigns and most recent operations against embassies in Kyiv. The NCSCC revealed that this group targeted over 200 email addresses during this campaign, but the number of successful attacks remains uncertain.
However, their most recent campaign leveraged a recently discovered vulnerability in the Windows file archiver tool WinRAR, CVE-2023-3883. This flaw remains a significant threat since it could allow attackers to run arbitrary code through specially crafted ZIP archives.
Reports claimed that the Cozy Bear operators sent phishing emails containing links to malicious PDF documents and ZIP files, exploiting this vulnerability and potentially granting them access to infected systems.
Subsequently, the hackers developed emails claiming to possess information about the sale of diplomatic BMW cars, a tactic previously used during their attack on embassies in Kyiv to lure targets into opening these malicious files.
However, in this campaign, the attackers introduced a novel technique for communicating with the malicious server, using Ngrok, a legitimate tool commonly employed in web development and testing.
Ngrok allows its users to expose local servers to the internet temporarily. Still, the cybercriminals exploited Ngrok’s capabilities to hide their activities in this case, complicating cybersecurity analysis and evading detection.
Using Ngrok as a communication tool has made detection for researchers more challenging, making attribution and defence against Cozy Bear’s activities more difficult. Therefore, every industry, especially government institutions in Ukraine, should adopt a more robust security measure to keep up with the growing threats in the cybercriminal landscape.
