cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Russian threat actors actively targeting diplomats in NATO and EU countries

Two Polish agencies have revealed an ongoing phishing campaign targeting diplomatic posts throughout Europe.

user icon David Hollingworth
Fri, 14 Apr 2023
Russian threat actors actively targeting diplomats in NATO and EU countries
expand image

Polish Military Counterintelligence Service and CERT Polska believe that the threat actor Nobelium is behind the campaign, which has been ongoing since at least October 2022. The two agencies posted an alert overnight warning NATO countries and diplomatic staff to be aware of the danger posed by the group’s efforts.

The campaign is based on phishing emails sent to diplomatic staff, purporting to be from the Polish embassy. The emails contain information about diplomatic events, with recipients told to download information about speakers and event details.

When a victim clicks on the link, they are directed to a compromised website posing as an official embassy site, hosting the EnvyScout malware dropper as well as the files they’re ostensibly looking for. The dropper then runs a script in the background, which installs a further downloader tool on the host system.


Over time, the tools and their nature have been seen to evolve.

SnowyAmber and QuarterRig have been used throughout the campaign. Both are downloaders that can access Nobelium’s CnC nodes to run further commands and download either the Cobalt Strike or Brute Ratel malware. The HalfRig tool was used early in the campaign, which is a loader that installs Cobalt Strike directly itself.

Both SnowyAmber and QuarterRig also scan the infected system to see if it is of interest and to ascertain if it is running in a test environment for malware analysis.

Cobalt Strike and Brute Ratel are both commercial pen-testing tools but are often used by malicious actors as malware.

The scope of the campaign has led the two agencies to issue a warning to a range of possible targets.

“The Military Counterintelligence Service and CERT.PL strongly recommend that all entities that may be in the actor’s area of interest implement configuration changes to disrupt the delivery mechanism that was used in the described campaign,” the alert read.

The alert calls for diplomatic, government, and NGO entities to be particularly vigilant.

Nobelium is the Russian-backed group responsible for the 2020 SolarWinds hack, which Microsft called “the most sophisticated in history”. It impacted organisations all over the world, including many parts of the US government, NATO, and the EU.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.