“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting,” the press release says, “since it was not after a specific region and the victims came from different places in the world.”
Russian hackers recently attacked a number of embassies in Europe by emailing malicious attachments disguised as official State Department documents to officials, according to a new report from Check Point Research.
Government finance officials were also subject to these attacks, and Check Point notes that these victims were of particular interest to the hackers. “They all appear to be handpicked government officials from several revenue authorities,” the press release says.
While Russian in origin, it’s unlikely that these attacks were state-sponsored. One perpetrator was traced back a hacking and carding forum and registered under the same username, “EvaPiks,” on both. EvaPiks posted instructions for how to carry out this kind of cyberattack on forums and advised other users as well.
The hackers appeared to be highly sophisticated, carefully planning out the attacks, using decoy documents tailored to their victim’s interests, and targeting specific government officials. At the same time, other stages of the attack were carried out with less caution leaving personal information and browsing history belonging to the perpetrator exposed.
Check Point identified several other similar attack campaigns, including some targeting Russian-speaking victims as well.
The hackers targeted European embassies in Nepal, Guyana, Kenya, Italy, Liberia, Bermuda, and Lebanon, among others. They typically emailed the officials Microsoft Excel sheets with malicious macros that appeared to have originated from the United States State Department. Once opened, the hackers were able to gain full control of the infected computer by weaponizing installed software called TeamViewer, a popular remote access service.
Due to the attackers’ background in the illegal carding community, Check Point suggested that they could have been “financially motivated.”