An advanced persistent threat group with links to Russia known as APT29 has been observed leveraging legitimate information systems used by European countries to conduct cyber espionage abuse. The group is believed to be sponsored by the Russian Foreign Intelligence Service and has also been referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium. BlackBerry reported that the recent campaign aimed to target EU government organizations via phishing emails containing malicious documents. The phishing emails contained information about the Polish Foreign Minister’s visit to the US to lure recipients into clicking malicious links.
BlackBerry also stated that the attacks abused multiple legitimate systems such as LegisWrite and eTrustX, which are used for information and data sharing between European government organizations. The platforms allow users to conduct secure document creation, revision, and exchange. Due to the fact that these platforms were chosen for the attacks, security researchers believe that the threat actor was specifically targeting European organizations. APT29 is likely utilizing Poland as a lure in an attempt to harm or gain intelligence on countries providing assistance to Ukraine.