WARSAW, Apr 13 Polish Military Counterintelligence Service (SKW) and the CERT cybersecurity group accused the Russian intelligence services of hacking the collection of information from the Foreign Ministry and embassies of various countries in the EU.
«The Polish group CERT and the Military Counterintelligence Service noticed the conduct of a spy campaign related to the actions of the Russian special services. The purpose of the company was to illegally collect information from foreign ministries and diplomatic missions, most of which are located in NATO and the European Union,» the company says. in the CERT message.
It is noted that many elements of this activity, «such as the infrastructure, methods and tools used, partially or completely coincide with the activities of the group described in the past, which Microsoft calls NOBELIUM, and Mandiant — APT29.
According to the statement On the Polish side, the espionage group is «associated, among other things, with a group called SOLARWINDS, SUNBURST, ENVYSCOUT and BOOMBOX tools, as well as numerous other companies of an intelligence nature.»
«However, the actions discovered and described by CERT and SKW differ from previous ones by using unique, previously not publicly marked software. New tools were used in parallel and independently of each other or sequentially, replacing old solutions, the effectiveness of which was declining. This allowed maintaining the continuity of actions» , the message says.
It is especially emphasized that at the time of publication of the message «the campaign carried out by the Russian intelligence group is not only ongoing, but also has the character of development.»
The report says that in all observed cases, a phishing technique was used. Certain employees of diplomatic missions were sent emails masquerading as embassies of European countries. Correspondence contained an invitation to a meeting or to collaborate on documents. There was a link in the body of the message, or in the attached PDF document, purporting to point to the ambassador's calendar with meeting details or a downloadable file. In fact, the link activated malicious software.
Therefore, CERT and SKW recommend that «all entities that may be in the area of interest of this group, introduce mechanisms aimed at improving the security of information systems used and increasing the level of attack detection.»
The West has repeatedly accused the Russian Federation of interfering in internal affairs and cyberattacks. Russia denied all accusations, saying that the Western countries did not provide any evidence. Moscow has repeatedly stated that it is ready for a dialogue on cybersecurity. China also denied involvement in cyber attacks, calling such accusations a political farce.