The Russian hackers behind the SolarWinds campaign have been extracting information from ministries and diplomatic entities of European Union and NATO countries, the Polish military and national CERT revealed Thursday.
The campaign, which is still ongoing, according to a government statement, used emails impersonating embassies of European countries to target personnel at diplomatic posts.
“The aim of publishing the advisory is to disrupt the ongoing espionage campaign, impose additional cost of operations against allied nations and enable the detection, analysis and tracking of the activity by affected parties and the wider cyber security industry,” the statement reads.
In the body of the message or in an attached PDF, an invitation to a meeting would open a link directing the receiver to a downloadable file or to the ambassador’s calendar, which would then infect them with malware.
Many of the elements observed in the campaign, including the techniques used and the tools, overlap with activity described in the past by Microsoft as the Russian group “NOBELIUM” and by Mandiant as “APT29,” which was responsible for the SolarWinds attack that affected thousands of systems and customers on a global scale.
Janusz Cieszyński, the Polish government’s plenipotentiary for cybersecurity, told POLITICO that he was very impressed with the counterintelligence of the CERT and military.