Russian APT Impersonates Kaspersky in Targeted Embassy Cyber Espionage

A new cyber espionage campaign attributed to Russian state-sponsored hackers has been targeting foreign diplomatic missions with alarming sophistication. Microsoft's Threat Intelligence team recently uncovered the operation, which involves the attackers impersonating cybersecurity firm Kaspersky Lab to gain the trust of their targets.

The modus operandi begins with carefully crafted spear-phishing emails sent to embassy staff. These messages appear to contain urgent security alerts or software updates from Kaspersky, complete with authentic-looking branding and formatting. When recipients click on the embedded links, they're directed to download what appears to be legitimate Kaspersky antivirus software.

However, the downloaded files actually contain custom malware designed for intelligence gathering. The malicious code establishes persistent access to the victim's systems, allowing the attackers to exfiltrate sensitive diplomatic communications, access credentials, and other classified information.

Technical analysis reveals the malware employs several advanced evasion techniques:

Microsoft has attributed this campaign with high confidence to APT29 (also known as Cozy Bear), a hacking group associated with Russia's Foreign Intelligence Service (SVR). This group has been previously linked to high-profile attacks including the 2020 SolarWinds breach.

The choice to impersonate Kaspersky is particularly noteworthy. As a Russia-based cybersecurity company, Kaspersky may appear as a more credible source to embassy staff handling Russia-related matters. This demonstrates the attackers' sophisticated understanding of their targets' psychology and operational context.

Security recommendations:

Kaspersky Lab has issued a statement confirming they are not associated with this campaign and are working with authorities to investigate the impersonation.