Phishing emails aiming to steal political intelligence were sent by hacking group APT29 — alleged by Western intelligence organizations to have ties to Russian spy agencies — to victims purporting to be an invite to a dinner reception March 1 bearing a logo from the Christian Democratic Union, a major center-right political party in Germany.
Google Mandiant researchers said in a March 22 blog post that it was important because it was the first time they observed this APT29 "cluster" by Russia's Foreign Intelligence Service (SVR) target political parties to gather foreign political intelligence — and that it was “unlikely” that APT29’s interest in attacking political parties was limited just to Germany.
“Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum,” the Google Mandiant researchers said, adding that the SVR-linked cyber espionage activity aimed to help Russia better understand changing Western political dynamics related to the Ukraine war and other global flashpoints.
It should be noted that Russian President Vladimir Putin reportedly said late last year that relations between Germany and Russia have been frozen, presumably because Germany has offered aid to Ukraine in its war with Russia.
The researchers said consistent with APT29’s operations dating back to 2021, this operation leveraged APT29’s first-stage payload called ROOTSAW to deliver a new backdoor variant publicly tracked as WINELOADER.
“APT29 is Russia's SVR and is a considerable threat outside of Germany,” said Tom Hegel, principal threat researcher at SentinelLabs. “They have a history of targeting across all of Europe and NATO member countries. Generally, they are not tied too closely with critical infrastructure targeting, but rather strategic intelligence collection objectives. This results in them most commonly being observed targeting political organizations, think tanks, science research organizations, and NGOs.”
Sarah Jones, cyber threat analyst at Critical Start, explained that APT29, also known by aliases like "Cozy Bear" and "The Dukes," is a highly skilled hacking group believed to be backed by Russia's SVR intelligence agency. Since at least 2008, Jones said they've been a persistent threat, actively targeting governments, diplomatic organizations, research institutions, and critical industries. Jones said their methods involve sending phishing emails laced with malicious attachments to trick victims into installing malware. They also exploit weaknesses in software to gain unauthorized access to systems.
"APT29's primary goal is espionage, potentially aiming to steal sensitive information that could influence geopolitical events in Russia's favor," said Jones. "APT29's ability to constantly adapt their tactics makes them a dangerous threat. Staying informed about their latest techniques and remaining vigilant about suspicious emails and software vulnerabilities are crucial steps in defending against APT29's cyberattacks."
David Ratner, chief executive officer at HYAS, added that these types of attacks from APT29 won't stop in Germany — they will be used to influence politics and infect political parties around the world, and likely already are, said Ratner.
“Cyber resiliency approaches to protect organizations from breaches aren't just for critical infrastructure,” said Ratner. “In fact, the focus on and infection of political organizations highlights how broadly we need to think about cyber protection. Every organization needs to assume they are a target, and possibly have been breached, and need to ensure that they can detect the telltale signs of an active breach and ensure it is shut down in real-time. Damage may not be simply monetary, these attacks demonstrate how cyber resiliency is critical to protect democracy itself and the lives of global citizens.”