In a concerning development, the Russian APT29 threat group, known as Cozy Bear, has been identified targeting political parties in Germany with a sophisticated malware attack. The attack campaign was discovered by Mandiant, a cybersecurity firm under Google Cloud, and involves phishing lures coupled with a newly identified backdoor named Wineloader.

APT29 has a notorious history of cyber espionage, with its fingerprints on several high-profile incidents, including the SolarWinds breach in 2020. The recent attacks in Germany resemble previous APT29 campaigns, utilizing malware families such as BURNTBATTER, MUSKYBEAT, and BEATDROP. This pattern suggests the involvement of a typical developer or group within the APT29 infrastructure.

According to Mandiant’s analysis, threat actors initiate their attacks with phishing emails containing malicious links. These links deceive the victims into downloading a ZIP file containing a malware dropper known as rootsaw. Once executed, rootsaw facilitates the installation of Wineloader, a backdoor that grants the attackers persistent access to the infected systems.

Wineloader is not entirely new to the cybersecurity community; it was first observed in operations targeting diplomatic entities across various countries, including Germany, India, Italy, and Peru. Its deployment in the current attacks further emphasizes the global reach and persistent threat posed by APT29.

The German authorities and international cybersecurity agencies are on high alert following these revelations. Political parties and other potential targets are advised to enhance their digital defenses and remain vigilant against phishing attempts.

As the situation unfolds, Mandiant and other cybersecurity experts continue to monitor APT29’s activities closely. They aim to thwart any further attacks and safeguard sensitive political information.