{"id":162965,"date":"2024-05-10T11:07:07","date_gmt":"2024-05-10T11:07:07","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=162965"},"modified":"2024-05-10T11:07:08","modified_gmt":"2024-05-10T11:07:08","slug":"russia-linked-apt28-targets-government-polish-institutions","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/162965\/apt\/russia-linked-apt28-targets-government-polish-institutions.html","title":{"rendered":"Russia-linked APT28 targets government Polish institutions<\/gwmw>"},"content":{"rendered":"
<\/div>\n

CERT Polska warns of a large-scale malware campaign against Polish government institutions conducted by Russia-linked APT28.<\/h2>\n\n\n\n

CERT Polska and CSIRT MON teams issued a warning about a large-scale malware campaign targeting Polish government institutions, allegedly orchestrated by the Russia-linked APT28<\/a> group.<\/p>\n\n\n\n

The attribution of the attacks to the Russian APT is based on similarities with TTPs employed by APT28 in attacks against Ukrainian entities<\/a>.<\/p>\n\n\n\n

“the CERT Polska (CSIRT NASK) and CSIRT MON teams observed a large-scale malware campaign targeting Polish government institutions.” reads the alert<\/a>. “Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities)<\/a>, the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”<\/em><\/gwmw><\/p>\n\n\n\n

The threat actors sent emails designed to pique the recipient’s interest and encourage them to click on a link. <\/p>\n\n\n

\n
\"APT28\"<\/a><\/figure><\/div>\n\n\n

Upon clicking on the link, the victims are redirected to the domain run.mocky[.]io, which is a free service used by developers to create and test APIs. The domain, in turn, redirects to another legitimate site named webhook[.]site which allows logging all queries to the generated address and configuring responses.<\/p>\n\n\n\n

Threat actors in the wild increasingly rely on popular services in the IT community to evade detection and speed up operations.<\/gwmw><\/gwmw><\/p>\n\n\n\n

The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains:<\/p>\n\n\n\n