APT29 hit German political parties with bogus invites and malware

APT29 (aka Cozy Bear, aka Midnight Blizzard) has been spotted targeting German political parties for the first time, Mandiant researchers have shared.

Phishing leading to malware

The attack started in late February 2024, with phishing emails containing bogus invitations to a dinner reception, ostensibly sent by the Christian Democratic Union (CDU), a major political party in Germany.

Recipients were urged to follow a link to discover “all the necessary information about the event as well as the form for participation” and were led to a compromised WordPress website hosting Cozy Bear’s “mainstay first-stage payload”: ROOTSAW.

“ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload retrieved from ‘waterforvoiceless[.]org/util.php’,” the researchers noted.

WINELOADER is a modular backdoor with detection evasion and persistence capabilities and, according to the researchers, “likely a variant of the non-public historic BURNTBATTER and MUSKYBEAT code families which Mandiant uniquely associates with APT29.”

WINELOADER has been documented last month by Zscaler researchers, who discovered it after analyzing a PDF masquerading as an invitation letter from the Ambassador of India to diplomats, inviting them to a wine-tasting event. The PDF in question was uploaded to VirusTotal from Latvia on January 30th.

Cozy Bear’s other targets

APT29, believed to be acting on behalf of Russia’s Foreign Intelligence Service (SVR), has previously been known for targeting governments, foreign embassies, and other diplomatic missions.

“We (…) suspect that APT29’s interest in [political parties and other aspects of civil society] is unlikely to be limited to Germany. Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues,” Mandiant researchers pointed out.

“Based on recent activity from other APT29 subclusters, attempts to achieve initial access beyond phishing may include attempts to subvert cloud-based authentication mechanisms or brute force methods such as password spraying.”

Earlier this month, Microsoft revealed that APT29 used the information they previously stole from the company to access some of its internal systems and code repositories.