Western diplomats and government services are currently suffering. Russian hackers have launched phishing campaigns. In it, the perpetrators pose as embassy staff and urge the recipients – Western government services – to go through ‘important policy updates’ as soon as possible, via a rogue URL. Or they try to convince the recipients to let communication go through a command and control server
That writes cybersecurity company Mandiant.
This is how the hackers worked
Between January and March of this year, Mandiant’s security researchers observed multiple phishing campaigns. In all cases, the emails allegedly came from an embassy employee. In reality, it was a Russian hacker who managed to gain access to the email account. In this way, the attackers tried to gain the trust of the receivers.
The compromised email addresses were listed as contact points on embassies’ websites, Mandiant found. The hackers used an HTML smuggling technique to deliver an image or ISO file. These files contain a Windows shortcut file (LNK) that executed a malicious DLL file when the recipient clicked on it. To disguise that, the LNK file was disguised as a text document.
Once activated, the malware connects to Trello through a command and control server to communicate. Once this connection is established, hackers can undetected spy on their target. In this way, they can take screenshots, retrieve credentials through keylogging, monitor network activity, and enable a proxy mode server mode, among other things.
APT 29 responsible for cyber attack
Once the hackers have infiltrated a system, they can gain access to files and accounts that are normally out of