Russia's Cozy Bear caught phishing German politicos with phony dinner invites

The Kremlin's cyberspies targeted German political parties in a phishing campaign that used emails disguised as dinner party invitations, according to Mandiant.

Russia's Cozy Bear, also known as APT29 and Midnight Blizzard, engineered the messages to infect marks' Windows PCs with a backdoor first observed in January and dubbed WINELOADER. These were intended to provide long-term access to the political parties' networks and data, the Google-backed security biz asserted on Friday.

This is the first time that the cyberespionage group, which has been linked to the Russian Foreign Intelligence Service (SVR), has targeted political parties, according to the report.

"Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber espionage activity given Moscow's vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues," Mandiant's Luke Jenkins and Dan Black wrote in an alert.

This is the same crew that infamously backdoored SolarWinds' network monitoring software and then used that access to spy on customers such as the US Treasury, Justice, and Energy departments, and the Pentagon.

Cozy Bear's latest phishing emails, sent out last month, were designed to give to the impression they were sent by Germany's Christian Democratic Union (CDU), and included the major political party's logo, inviting recipients to a March 1 dinner reception.

Victims, looking forward to confirming they were up for cocktails and canapes, were directed to click on a link to a hijacked, Cozy Bear-controlled website – waterforvoiceless[.]org/invite.php – which would download a .zip file. Marks who opened the archive and then its contents would end up executing a program called ROOTSAW, which would infect the PC with the WINELOADER backdoor, fetched from waterforvoiceless[.]org/util.php.

WINELOADER is quite a clever piece of code that uses various obfuscation techniques to hide the fact that it allows the machine to be secretly remotely controlled by its masterminds, allowing those miscreants to potentially do all sorts of things on infected PCs, such as running commands and snooping on user applications.

The backdoor program was spotted by Zscaler's ThreatLabz on January 30, and it was used in phishing campaigns targeting diplomatic entities in Europe, India, and Peru. 

Ambassador, with this malware you are spoiling us!

The Zscaler team said WINELOADER was delivered onto targets' personal computers from a bogus invite to a wine-tasting event purportedly from an ambassador of India also in February 2024.

According to Mandiant, this backdoor overlaps with several other strains of malicious software used by Cozy Bear but is "considerably more customized than the previous variants, as it no longer uses publicly available loaders like DONUT or DAVESHELL and implements a unique C2 mechanism," we're told.

In a statement to the media, the CDU said it "received very prompt information about the attack … There was no official CDU dinner on 1 March, the event was fictitious." We've asked for further details.

In addition to expanding its targets and techniques, Cozy Bear has also been lurking around Microsoft's networks — an old favorite of the Russian crew — stealing source code, gaining access to internal systems, and snooping around in executives' email inboxes. ®