In late February 2024, the Russian-backed threat group APT29, also known as Cozy Bear and linked to Russia's Foreign Intelligence Service (SVR), used a new backdoor variant called WINELOADER to target German political parties. This marks a departure from APT29's typical targeting of governments and diplomatic missions. The phishing campaign involved sending emails with a CDU-themed lure document to victims, directing them to a malicious ZIP file containing the ROOTSAW dropper. ROOTSAW delivered a second-stage CDU-themed lure document and the WINELOADER payload. The WINELOADER backdoor communicates using HTTP GET requests and contains anti-analysis techniques. It can be used to execute new modules and update sleep timers based on commands from the C2 server [e1f8d559].
The activity suggests a broad threat to European and Western political parties, as APT29's interest in political parties is likely driven by the SVR's responsibility to collect political intelligence and Moscow's geopolitical interests. Western political parties from across the political spectrum could be future targets for SVR-linked cyber espionage. The WINELOADER backdoor shares features with other APT29 malware families, indicating a common developer. Mandiant has provided technical details and MITRE ATT&CK techniques associated with the campaign [e1f8d559].
This development highlights the ongoing cybersecurity concerns surrounding APT29 and its activities. APT29, a highly sophisticated threat group, has been active since at least 2008 and has targeted a wide range of organizations, including governments, diplomatic missions, and now political parties. The group is known for its advanced persistent threats and has been linked to the Russian government. The use of WINELOADER in this campaign demonstrates the group's evolving tactics and techniques [e1f8d559].