Duke Malware Targets NATO, Revealing a Complex Web of Espionage
Duke Goes By Many Names Including 'Cozy Bear'
Overt Operator
August 16, 2023
The Dutch cybersecurity firm EclecticIQ released a report that unveils a recent campaign to zero in on the foreign ministries of NATO-aligned governments. This threat highlights the ever-evolving nature of the cyber landscape and hacker threats.
A recent revelation sheds light on attempts by cyber adversaries to spy on government agencies in NATO countries, emphasizing the ever-present risks these nations face. The culprit behind these intrusions? A variant of the Russia-linked Duke malware, as brought to light by recent research.
These digital intrusions employed two malicious PDF files to achieve their goals. One of these PDFs was loaded with the notorious Duke malware, a digital menace linked to the Russian state-sponsored cyber-espionage group APT29. This group also goes by several monikers, including Nobelium, Cozy Bear, and The Dukes.
Intriguingly, the secondary file was seemingly benign, potentially intended for testing or reconnaissance. While it did not harbor a malicious payload, it did alert the hacker if a potential victim accessed the email attachment – a clear indication of its reconnaissance nature.
These files, masquerading as diplomatic invites from a German embassy, point to an even more extensive campaign that possibly spans the globe, targeting various diplomatic entities.
While the report hesitates to directly attribute the German embassy-themed files to APT29, certain operational details align with previous campaigns identified as the group's handiwork, other researchers who examined the attack reportedly explained.
Further intriguing details emerge with the mention of an email address within the malicious PDF, which refers to a genuine web domain, bahamas.gov.bs. This same domain, as uncovered in a separate report by cybersecurity firm Lab52 in mid-July, was previously exploited by hackers impersonating the Norwegian embassy.
Drawing a connection, EclecticIQ researchers express high confidence in the possibility that both sets of malicious files—those from the German and Norwegian embassies—originate from the same threat actor.
The broader picture indicates an escalation in Moscow's cyber espionage endeavors in Europe, particularly since the onset of the conflict in Ukraine. Countries neighboring Kyiv, such as Poland, Lithuania, and Latvia, are feeling the brunt of these cyber incursions.