Russian Cozy Bear Group Targets German Politicians

Written by

Security researchers have warned Western political parties to be on their guard after uncovering a new cyber-espionage campaign from Russian actors APT29.

Thought to be part of Russia's Foreign Intelligence Service (SVR), the group (aka Cozy Bear, Nobelium) has historically focused on diplomatic targets, but was also linked to raids on COVID-19 vaccine developers and the infamous SolarWinds campaign.

However, since February 2024 it has been conducting a phishing campaign against German political parties, according to Mandiant.

Victims received an email spoofed to appear as if sent by the Christian Democratic Union (CDU) party inviting them to a dinner reception on March 1. The link contained within directed victims to a malicious ZIP file containing a “Rootsaw” dropper hosted on an actor-controlled compromised website.

Read more on APT29: Russian APT Crew Actively Targets #COVID19 Vaccine Developers.

Rootsaw (aka EnvyScout) is a first-stage payload commonly used by APT29. This in turn delivered a new backdoor variant dubbed “Wineloader.” This was first spotted in late January 2024 in an operation targeting diplomatic entities in Czechia, Germany, India, Italy, Latvia and Peru, Mandiant said.

Wineloader contains several features consistent with other APT29 malware families such as Burnbatter, Muskybeat and Beatdrop, indicating a common developer, the report claimed.

“Rootsaw continues to be the central component of APT29’s initial access efforts to collect foreign political intelligence,” Mandiant continued.

“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests.”

The report warned that APT29’s malware operations are “highly adaptive” and designed to move in lockstep with the Kremlin’s geopolitical objectives.

“We therefore suspect that APT29’s interest in these organizations is unlikely to be limited to Germany,” it added.

“Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber-espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues.”

What’s hot on Infosecurity Magazine?