Ukrainian security researchers have discovered a new Russian cyber-espionage campaign, possibly designed to gather information on Azerbaijan’s military strategy.

The campaign, led by APT29 (also known as Cozy Bear and Nobelium), targeted embassies in Azerbaijan, Greece, Romania, and Italy, as well as international institutions such as the World Bank, European Commission, Council of Europe, WHO, UN, and others. The geopolitical implications of the campaign are profound, as it may have aimed to gather intelligence concerning Azerbaijan’s strategic activities, particularly in the lead-up to the Azerbaijani invasion of Nagorno-Karabakh.

The campaign began as a spear-phishing email using the lure of a diplomatic car for sale.
The RAR attachment contained CVE-2023-3883, a bug that allows threat actors to insert malicious folders with the same name as benign files in a.zip archive. The system unwittingly processes the concealed malicious content within the folder, enabling the execution of arbitrary code. The attack involves a user clicking on the RAR archive, executing a script to display a PDF of the car, and downloading and executing a PowerShell script. This attack complicates cybersecurity efforts and makes defence and attribution more challenging.

Russian cyber espionage has been notably prevalent in recent years, showcasing the country’s sophisticated capabilities in cyberspace. Russia has been implicated in various high-profile cyberattacks targeting governments, critical infrastructure, and international organizations.

Notably, the alleged interference in the 2016 U.S. presidential election exposed Russia’s use of cyber tactics for political influence. The SolarWinds hack in 2020, attributed to Russian actors, demonstrated a high level of sophistication, infiltrating numerous U.S. government agencies. These incidents underscore Russia’s persistent and evolving cyber threat, with concerns extending globally as the country continues to employ cyber capabilities for geopolitical objectives.