Poland provides more details on APT28 government attacks
Poland has denounced Russian state-sponsored hackers, alleging that they attacked several government networks in a major phishing campaign.
According to the Polish state National Research Institute (NASK), the Russian threat group APT28, which is related to the GRU, the Russian military intelligence agency, launched attacks against several Polish government institutions.
Earlier this week, Poland announced for the first time that it had been attacked by APT28 and expressed its support for Germany and the Czech Republic, which also denounced the threat group.
“Poland, which is also one of the targets of the APT28 attacks, strongly condemns the repeated, unacceptable and harmful activities carried out in cyberspace by Russian entities,” Poland said in a statement.
“As threats in cyberspace continue to increase, Poland is actively working to protect critical infrastructure, build resilience and strengthen cyber defense.”
However, Poland has so far provided no details of the attack.
While its latest comments do not confirm that this is actually the same attack, particularly since the attacks on Germany and the Czech Republic were years ago, Poland’s NASK has said that APT28 attempted to distribute malware on Polish government networks this week.
“This week the APT28 group, associated with Russian intelligence services, distributed malware targeting Polish government institutions,” NASK said in a statement.
“Technical indicators and similarities with past attacks allowed the identification of the APT28 group… This group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”
Other reports from the Polish Computer Security Incident Response Team (CSIRT MON) and the Polish Computer Emergency Response Team (CERT Polska) said the malware was delivered via phishing emails promising additional information about a “mysterious Ukrainian woman” selling “used underwear” to “High authorities in Poland and Ukraine,” as reported by beepcomputer.
Email recipients who clicked on the link were redirected through several sites before downloading a ZIP file disguised as a JPG image.
Inside the file is a DLL and a .BAT script, which are executed if the file is opened. An image of a swimsuit photo is displayed in Microsoft Edge to distract the recipient while the file is running.
CERT Polska said the run script collects information about the computer, such as a list of selected files and IP addresses, which are then sent to a C2 server.
“Probably, the computers of victims selected by the attackers receive a different set of endpoint scripts,” CERT Polska said.