As a national CERT, we come across many intriguing malware campaigns targeting Polish organizations and institutions. Last year, we have seen several threat actors targeting a number of European embassies and MFAs, but one group looked especially interesting – APT29. While the selection of attacked institutions was interesting, what really struck a cord was the use of multiple legitimate services as covert C&C servers.
We continued to track the campaigns deployed by the actor for almost a year and gathered enough information to allow us to co-publish several reports on the malware activities and tooling.
In this talk we’ll examine the methods attackers used to stay undetected and go a little behind the scenes of the public reports.