The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity.
"The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.
APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR).
#IoCs #Analysis #Campaign #Russia #ThreatActor #APT29 #CozyBear