The Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021. The spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and contained a malicious HTML attachment. According to ESET’s T3 2021 Threat Report, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network. Also tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the US, before it gained widespread attention for the supply‐chain compromise of SolarWinds, leading to further infections in several downstream entities, including US government agencies in 2020.
Phishing remains one of the most common ways for threat actors to gain initial access, even for sophisticated threat actors like state sponsored APTs. Phishing will often be themed around things that would be urgent, like tax messages around the tax submission deadline, or a large credit card charge. COVID-themed lures have been common since March 2020 and continue to be used in 2022, so be wary if you receive an email that is COVID related that seems urgent.