网络间谍：俄罗斯APT28黑客瞄准全球13个国家

The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.

俄罗斯国家威胁行动者APT28已被观察到利用与正在进行的以色列-哈马斯战争相关的诱饵，以传递名为HeadLace的定制后门。

IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422.

IBM X-Force正在追踪这个对手，代号为ITG05，也被称为BlueDelta，Fancy Bear，Forest Blizzard（前身为Strontium），FROZENLAKE，Iron Twilight，Sednit，Sofacy和TA422。

"The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said.

“这次新发现的活动针对至少13个全球国家的目标，利用由学术、金融和外交中心创建的真实文件，”安全研究人员Golo Mühr，Claire Zaboeva和Joe Fasulo说。

"ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign."

“ITG05的基础设施确保只有来自一个特定国家的目标才能收到恶意软件，显示出该活动的高度定向性。”

Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.

该活动的目标包括匈牙利、土耳其、澳大利亚、波兰、比利时、乌克兰、德国、阿塞拜疆、沙特阿拉伯、哈萨克斯坦、意大利、拉脱维亚和罗马尼亚。

The campaign involves the use of decoys that are designed to primarily single out European entities with a "direct influence on the allocation of humanitarian aid," leveraging documents associated with the United Nations, the Bank of Israel, the U.S. Congressional Research Service, the European Parliament, a Ukrainian think tank, and an Azerbaijan-Belarus Intergovernmental Commission.

该活动涉及使用旨在主要针对欧洲实体的诱饵，这些实体“直接影响人道援助分配”，利用与联合国、以色列银行、美国国会研究服务、欧洲议会、乌克兰智库和阿塞拜疆-白俄罗斯政府委员会相关的文件。

Some of the attacks have been found to employ RAR archives exploiting the WinRAR flaw called CVE-2023-38831 to propagate HeadLace, a backdoor that was first disclosed by the computer Emergency Response Team of Ukraine (CERT-UA) in attacks aimed at critical infrastructure in the country.

一些攻击被发现利用RAR存档来利用WinRAR漏洞（称为CVE-2023-38831）传播HeadLace，这是由乌克兰计算机紧急响应团队（CERT-UA）首次披露的后门，用于针对该国关键基础设施的攻击。

It's worth noting that Zscaler revealed a similar campaign named Steal-It in late September 2023 that enticed targets with adult-themed content to trick them into parting with sensitive information.

值得注意的是，Zscaler在2023年9月底披露了一个名为Steal-It的类似活动，诱使目标以成人内容为诱饵，以欺骗他们泄露敏感信息。

The disclosure comes a week after Microsoft, Palo Alto Networks Unit 42, and Proofpoint detailed the threat actor's exploitation of a critical security flaw of Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.

此披露发生在Microsoft、Palo Alto Networks Unit 42和Proofpoint在详细说明该威胁行动者利用Microsoft Outlook的关键安全漏洞（CVE-2023-23397，CVSS评分：9.8）未经授权访问受害者账户的一周后。

The reliance on official documents as lures, therefore, marks a deviation from previously observed activity, "indicative of ITG05's increased emphasis on a unique target audience whose interests would prompt interaction with material impacting emerging policy creation."

因此，与先前观察到的活动有所偏离，将正式文件用作诱饵，表明ITG05更加强调对特定目标受众的独特兴趣，这将促使与影响新政策制定有关的材料进行互动。

"It is highly likely the compromise of any echelon of global foreign policy centers may aid officials' interests with advanced insight into critical dynamics surrounding the International Community's (IC) approach to competing priorities for security and humanitarian assistance," the researchers said.

“很有可能全球外交政策中任何层面的妥协都将为官员提供有关国际社会（IC）在安全和人道援助的竞争优先事项方面的关键动态的高级见解，”研究人员说。

The development comes as CERT-UA linked the threat actor known as UAC-0050 to a massive email-based phishing attack against Ukraine and Poland using Remcos RAT and Meduza Stealer.

此消息发布后不久，CERT-UA将被称为UAC-0050的威胁行动者与针对乌克兰和波兰的大规模基于电子邮件的网络钓鱼攻击相关联，攻击中使用了Remcos RAT和Meduza Stealer。

原文始发于微信公众号（知机安全）：网络间谍：俄罗斯APT28黑客瞄准全球13个国家