Russian cyber spies target govt agencies in EU that assist Ukraine

Russian cyber spies target govt agencies in EU that assist Ukraine

The Russia-linked threat actor Nobelium has been observed targeting diplomatic entities and government agencies in European Union countries that are aiding Ukrainian citizens and providing help to the country’s government.

Nobelium (aka APT29, Cozy Bear, The Dukes, StellarParticle, UNC2452, and Dark Halo) is a military hacking unit linked to the Russian government. Nobelium is believed to be the group behind the massive SolarWinds supply-chain attack that led to the compromise of several US federal agencies.

The threat actor has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. The group’s arsenal includes a variety of tactics to conduct credential theft, as well as sophisticated malware and tools, such as SUNBURST backdoor, TEARDROP, GoldMax, GoldFinder, and Sibot malware.

The recent Nobelium’s campaign spotted BlackBerry researchers in March 2023 involved phishing emails purportedly sent by the European Commission and Poland’s Ministry of Foreign Affairs. The malicious emails contained a weaponized document with a link leading to the download of an HTML file. The weaponized URLs were hosted on a legitimate online library website based in El Salvador, which the threat actor is believed to have compromised between the end of January and the beginning of February.

The threat actor has been observed using multiple legitimate systems, including LegisWrite and eTrustEx, which the EU nations use for information exchange and secure data transfer.

“Using a compromised legitimate server to host the packed malware payload increases the chances of a successful installation on the victims’ machines,” BlackBerry noted.

An analysis of the malicious HTML file revealed that it was a version of Nobelium’s malicious dropper known as ROOTSAW/ EnvyScout. It uses a technique known as HTML smuggling to deliver an IMG or ISO file to the victim’s system. The HTML file drops two “.iso” files on the system, each of them contains two files.

One of the files is BugSplatRc64.dll designed to collect and exfiltrate information about the infected system. This information is then used to create the victim’s unique identifier, which it then sends to the command-and-control (C2) server, Notion. Every minute the BugSplatRc64.dll connects to the Notion server, waiting for the next payload. If successful, the payload is executed as a shellcode in the memory of its process.

“Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland's Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection,” BlackBerry notes.

Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025