Security researchers at Mandiant have raised concerns after discovering that Russia’s APT29 hacking group, linked to the country’s foreign intelligence service (SVR), has begun targeting political parties in Germany. This marks a potential shift in operational focus beyond typical attacks on diplomatic figures. The attack involves multi-stage malware, including phishing emails impersonating a dinner reception invitation from the Christian Democratic Union (CDU), a major German political party. Victims are directed to a malicious ZIP file containing a malware dropper called Rootsaw, which installs the Wineloader backdoor. Wineloader, previously observed in attacks targeting diplomatic entities, is now being used against political parties for the first time. Mandiant researchers noted the adaptability of APT29’s malware delivery operations, warning of ongoing threats to European and Western political parties. In addition to phishing, APT29 employs tactics like subverting cloud-based authentication and password spraying in their campaigns against Western targets. APT29, also known as Cozy Bear, the Dukes, and Nobelium, has been publicly linked to various high-profile attacks, including the SolarWinds supply chain attack in 2020.
Read more: https://www.securityweek.com/russian-apt29-hackers-caught-targeting-german-political-parties/