Email from “Portuguese embassy” used to attack NATO countries | cybercrime
Fake emails sent on behalf of Portuguese embassies, with the image of a coat of arms of Portugal, were used for credential attempts from several NATO countries in May and June. The alert was issued this Tuesday, July 19, by Unit 42, a threat investigation unit of the American cybersecurity company Palo Alto Networks. The team believes that the Cloaked group Bear is behind the scheme: it is a community of Russian cyber-attackers with ties to Russian secret services (the group is also known as ATP29, Nobelium and Cozy Bear).
“These campaigns are believed to have seen several Western diplomatic missions between May and June 2022,” explains the Unit42 team in a press release. report published this Tuesday. “The documents of phishing a link to a malicious HTML file.” The group also used fake emails signed by the “Baixada do Brasil” (in this case, however, ONLY hackers wrote “Brzail” instead of “Brasil”)
To appear more reliable, the fake emails, which were written in English and promised to Portuguese ambassadors, included links to storage sites. known online, such as GoogleDrive and Dropbox. The packages stored on these sites, the ambassadors’ agenda, contained malicious content (the EnvyScout) that created a Portuguese gateway for incoming hackers.
The barrage of Google and Dropbox or access to these files, after being notified by Palo Alto Networks. The cybersecurity company warns, however, that this type of cyberattack is becoming more common due to the “trust that millions of customers” place in services like Dropbox and Google Drive and the frequency with which they are used in a professional environment.
phishing with target
According to Palo Alto Networks, the missionaries’ objective was to obtain diplomacy credentials from NATO countries. It was a campaign to spear phishing. such as the phishing Traditionally, attackers use fake emails (eg in bank or social network names) to project data or install malicious files. Only instead of attackers sending emails to a wide audience, with the possibility of infecting as many computers as possible, in the spear phishing are specific targets. In this case, diplomatic missions from NATO countries.
PÚBLICO contacted the Ministry of Foreign Affairs late on Tuesday afternoon to find out if there are any reports of cyberattacks triggered by this specific scheme, but received no response at the time of this scheme.
This is not the first time that Portugal has been targeted by Russian cyber-attackers. At the end of February, the magazine Saturday advanced that the Ministry of Foreign Affairs was the target of a cyberattack launched by Russian cyber-operatives. One consequence of this attack, the cause of which was not disclosed, was an interruption of the MNE’s e-mail service, with diplomats and Palace services having to have access to e-mail for several days.
The cybersecurity industry has long blamed the Cozy Bear group’s attacks on Moscow. Cybersecurity experts around the world say the group is behind the 2016 attack on Democratic Party National Committee servers that led to the theft and disclosure of thousands of internal emails.
The group is also associated with the attack by SolarWinds Corp, a Texas-based company that develops cybersecurity programs for businesses and a range of government entities, from the Pentagon to the Department of State. By malicious code in a security program update, security hackers abuse corporate computer networks, reflection tanks and government agencies for months.
It is the first time that the cloud storage services group introduces you to all new operational services. trust them,” insists the cybersecurity firm Palo Alto networks at the conclusion of the report. “We encourage all organizations to review their email policies.”