To get European diplomats to open an email containing spyware, hackers from the APT29 group (also known as Cozy Bear), which is linked to the Russian intelligence services, invited them to wine tasting events. In some cases, however, the potential victim could suspect the email’s authenticity due to a mistake in the subject line.
In a campaign ongoing since January, the hackers sent emails on behalf of the foreign ministry of one of Europe’s “major” countries, according to a report by cybersecurity firm Check Point. The emails contained an invitation to a wine tasting event, intended to persuade the potential victim to click on a link; doing so would result in spyware being installed on the computer. The campaign targeted European diplomatic institutions, including embassies of non-European countries located in Europe. In a small number of cases, emails were also sent beyond Europe, particularly to diplomats in the Middle East, Check Point noted.
The phishing email subject lines included phrases like Wine Event, Diplomatic dinner, Wine tasting event, and Wine Testing Event (which could be translated as “Wine Testing Event,” but the word testing is not used in this context—apparently, it was confused with tasting).
Commenting on the use of wine as bait, Check Point expert Sergey Shykevich told Politico:
“Someone on the attacker side had a good idea.”
He declined to name the specific foreign ministry the hackers were impersonating, saying only that it was “one of the major ones” in the European Union.
According to Check Point, the attack was carried out by the hacker group APT29, also known as Cozy Bear and Midnight Blizzard. Western intelligence agencies and cybersecurity experts link the group to Russia’s Foreign Intelligence Service. It is known for hacking the Democratic National Committee’s server during the 2016 U.S. presidential election. The emails obtained from the server were used in a campaign against Hillary Clinton, who was running for president against Donald Trump at the time. APT29 is also believed to be behind one of the largest hacking attacks in history—against the U.S. company SolarWinds, which develops industrial software for managing networks, systems, and infrastructure.
Shykevich said Check Point has not determined how successful the wine-themed campaign was.
Russia is conducting an active cyberwar, according to Western intelligence services. For instance, last year, hackers from the FSB-linked group Star Blizzard attempted to gain access to WhatsApp accounts belonging to government ministers and officials from various countries, as well as staff at think tanks and organizations helping Ukraine.
