Wineloader’s involvement in these attacks was identified by cybersecurity experts, who traced its origins back to the SVR-linked hacking group
A hacking group believed to have ties to Russia’s Foreign Intelligence Service (SVR), previously implicated in breaches involving SolarWinds and Microsoft, is now suspected of orchestrating recent cyber attacks. These attacks, which targeted diplomatic entities, utilized a backdoor named WINELOADER and employed phishing lures centered around wine-tasting invitations.
WINELOADER’s involvement in these attacks was identified by cybersecurity experts, who traced its origins back to the SVR-linked hacking group. This group has gained notoriety for its sophisticated cyber operations, including previous breaches of major technology companies.
“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” stated researchers Luke Jenkins and Dan Black.
The attack involved phishing emails containing German-language content, purportedly invitations to dinner receptions, which led recipients to download a malicious file. This file acted as a conduit to deliver WINELOADER, allowing the hackers to gain access to compromised systems.
WINELOADER, utilising a technique called DLL side-loading, enabled the hackers to communicate with a remote server and execute additional modules on the compromised systems. It shares similarities with other malware associated with APT29, hinting at a common developer.
The use of WINELOADER was not limited to Germany; it was also deployed in attacks targeting diplomatic entities in several other countries, including the Czech Republic, India, and Italy.
“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests,” noted the report.
Meanwhile, in a separate development, German prosecutors have charged a military officer with espionage offenses. The officer, identified as Thomas H, allegedly spied on behalf of Russian intelligence services, transmitting sensitive information obtained during his professional activities.
“From May 2023, he approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate,” the Office of the Federal Prosecutor revealed. “On one occasion, he transmitted information that he had obtained in the course of his professional activities for forwarding to a Russian intelligence service.”
The incidents underscore the ongoing challenges posed by cyber threats and espionage activities, highlighting the need for robust cybersecurity measures and vigilance in countering such attacks.