Recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures have been linked to a hacking group with ties to Russia’s Foreign Intelligence Service (SVR). The attackers used a backdoor called WINELOADER, which was also involved in breaching SolarWinds and Microsoft.
The researcher identified Midnight Blizzard (also known as APT29, BlueBravo, or Cozy Bear) as the group behind the attacks. They targeted German political parties, using phishing emails that featured a logo from the Christian Democratic Union (CDU).
“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” said researchers.
The WINELOADER backdoor was initially disclosed as part of a cyber espionage campaign believed to have started in July 2023. The attacks used phishing emails with German-language content, posing as invitations to a dinner reception. Clicking on a link in the email led to the download of a rogue HTML Application (HTA) file, the first-stage dropper called ROOTSAW (aka EnvyScout), which then delivered WINELOADER from a remote server.
“WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts,” the researchers explained.
The malware shares similarities with other known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, indicating a common developer. WINELOADER was also used in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.
“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests,” the company said.
The development coincides with German prosecutors charging a military officer, identified as Thomas H, with espionage offenses. He was allegedly caught spying on behalf of Russian intelligence services and passing on unspecified sensitive information, having approached Russian diplomatic offices in Germany with offers to cooperate.
To prevent attacks using ‘WINELOADER’ malware, organizations should educate employees about phishing tactics and encourage them to be cautious when opening email attachments or clicking on links. Employing email filtering and antivirus software can help detect and block malicious emails and attachments. Additionally, keeping software and systems up to date with the latest security patches can help protect against known vulnerabilities exploited by malware like ‘WINELOADER.’
