Poland Accuses Russian Military Hackers of Targeting Its Government Networks

May 9, 2024

Poland has reported that a state-sponsored threat group connected to Russia's military intelligence service, known as the GRU, has been perpetrating cyberattacks on Polish government institutions throughout the week. These allegations were made based on the findings of CSIRT MON, Poland's Computer Security Incident Response Team, and CERT Polska, the Polish computer emergency response team. The threat actors, identified as Russian APT28 state hackers, reportedly launched a large-scale phishing campaign, targeting multiple government institutions.

The phishing emails were designed to lure recipients into clicking an embedded link, under the pretense of providing more information about a 'mysterious Ukrainian woman' who was allegedly selling 'used underwear' to high-ranking officials in Poland and Ukraine. Upon clicking the link, the users were redirected through multiple websites, which ultimately led to a page that downloaded a ZIP archive. This archive contained a malicious executable disguised as a JPG image file, along with two hidden files: a DLL and a .BAT script.

When the disguised executable file was opened, it loaded the DLL via DLL side loading, which in turn ran the hidden script. This script displayed a photo of a woman in a swimsuit in the Microsoft Edge browser, serving as a distraction while it simultaneously downloaded a CMD file and changed its extension to JPG. CERT Polska explained, 'The script we finally received collects only information about the computer (IP address and list of files in selected folders) on which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the attackers receive a different set of the endpoint scripts.'

The tactics and infrastructure used in these attacks closely resemble those used in another targeted campaign, where APT28 operatives used the Israel-Hamas war as a lure to backdoor devices of officials from 13 nations, including United Nations Human Rights Council members, with Headlace malware. APT28 has been active since the mid-2000s and has been linked to many high-profile cyber-attacks, including the 2016 U.S. Presidential Election and the 2015 breach of the German Federal Parliament.

In addition to these allegations, NATO and the European Union, along with international partners, have condemned a long-term APT28 cyber espionage campaign targeting several European countries. The attackers reportedly exploited the CVE-2023-23397 Microsoft Outlook vulnerability in these attacks, a security flaw that was also used to target NATO members in Europe, Ukrainian government agencies, and NATO fast reaction corps starting in April 2022. The U.S. State Department stated, 'We call on Russia to stop this malicious activity and abide by its international commitments and obligations. With the EU and our NATO Allies, we will continue to take action to disrupt Russia's cyber activities, protect our citizens and foreign partners, and hold malicious actors accountable.'

Related News

• NATO and EU Condemn APT28's Cyber Espionage Operations
• Russian Hackers Launch Widespread Cyberattacks Targeting Global Intelligence
• APT28 Cyber Threat Group Expands Phishing Campaigns Globally
• APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets

Latest News

• QakBot Malware Attacks Exploiting Windows Zero-Day Vulnerability Addressed by Microsoft
• Microsoft's May 2024 Patch Tuesday Addresses 61 Vulnerabilities Including 3 Zero-Days
• Google Scrambles to Patch Chrome Zero-Day Vulnerabilities Allowing Sandbox Escape
• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024