European Governments Targeted in Russian Espionage Campaign

A Russian intelligence hacking campaign actively targeted European diplomats and think tanks as part of an espionage operation that lasted nearly six months.

Researchers at Recorded Future first uncovered the campaign in January and disclosed its findings in a Thursday report. The U.S. federal government in 2021 linked the threat group, widely known as CozyBear or APT29, to the Russian Foreign Intelligence Service. Recorded Future tracks the group as BlueBravo.

The researchers said hackers had designed the campaign to target diplomatic and foreign policy institutions across Eastern Europe. The campaign, which remained active through June, mainly used spear-phishing emails that appeared to come from embassies across Eastern European nations and invited targeted individuals to take part in an event.

The hacking began once the victims enabled malicious macros embedded within the phishing emails. The hackers deployed updated versions of three custom malware apps – dubbed QuarterRig, GraphicalNeutrino and GraphicalProton – to exfiltrate sensitive data.

One characteristic of APT29 is how it blends in malicious traffic with legitimate traffic in order to evade detection. A newly spotted sample of GraphicalProton also used Microsoft’s OneDrive for command and control.

In the case of GraphicalNeutrino, the researchers said, hackers used advanced capabilities such as sandbox evasion and API unhooking to prevent detection. The malware also used the note-taking web application Notion for C2 communication.

In April, the Polish CERT and Military Counterintelligence Service warned of an APT29 campaign that had used that used EnvyScout malware to target diplomats associated with NATO and the European Union (see: Russian APT Hackers Actively Targeting European NATO Allies).

Based on the group’s activities, Recorded Future researchers estimate BlueBravo will continue to upgrade its malware’s capabilities as part of espionage campaigns across Europe.