Hackers Exploit EU Agenda in Spear Phishing Campaigns

Organizations based in the EU are being targeted by spear phishing campaigns leveraging EU political and diplomatic events, according to the bloc’s Computer Emergency Response Team (CERT-EU).

In its Threat Landscape Report 2023, published on February 15, 2024, CERT-EU found that lures exploiting the EU agenda have been rife in 2023.

“In recent years, 2023 was the first time that we observed so many attacks in a short period of time (a few months) being directly linked to the EU political consultation and decision-making structure,” CERT-EU researchers wrote.

Threat actors sent spear phishing emails containing malicious attachments, links, or decoy PDF files that were originally internal or publicly available documents related to EU affairs and policies.

China-backed threat actor Mustang Panda has been using this tactic since at least 2022.

These lures included mentions of the following EU bodies, programs and events:

• Swedish Presidency of the Council of the European Union
• EU – Community of Latin American and Caribbean States (CELAC) Summit
• Working Party of Foreign Relations Counsellors (RELEX)
• EU LegisWrite (a European Commission editing program)

The threat actors “did not necessarily target the mentioned organizations,” but directed their malicious campaigns towards individuals and organizations involved in EU policies and events and might be tempted to click on the malicious link or document.

“To make the spear phishing message even more credible, the attackers often impersonated staff members of Union entities or the public administration of EU countries,” the report added.

Private Sector’s Primary Targets: Diplomacy, Defense and Transport

Spear phishing continued to be the initial access technique most used by threat actors targeting EU-based organizations in 2023.

Outside public administration entities, the industries most targeted by spear phishing campaigns in 2023 were the diplomacy, defense and transport sectors.

CERT-EU observed emerging spear phishing tactics, with threat actors diversifying their communication channels, including instant messaging apps and social media.

Those included:

• One Union entity reported targeted emails and WhatsApp messages impersonating a head of Unit of the entity
• The Head of a Union entity was targeted with a smishing (SMS phishing) attack attempting to deliver mobile spyware

Some were also found to combine spear phishing campaigns with information operations.

“We assess that spear phishing operations executed as a preamble, to feed information operations constitute a major threat to Union entities, especially in view of the upcoming EU elections of May 2024,” read the report.

Other Key Findings in CERT-EU’s Threat Landscape Report 2023

Other highlights from the report include:

• 80 threat actors targeted Union entities or their vicinity in 2023, with a vast majority from either China or Russia
• Cyber espionage was the top motivation, accounting for 73% of the total cases
• An emerging diversification in the origin of cyber-attacks, partly due to increased activity of private sector offensive actors (PSOAs)
• Ransomware remained the predominant cybercrime activity in 2023, but no significant ransomware breach affecting Union entities was observed
• A total of at least 55 ransomware operations and 906 victims, with LockBit responsible for 25% of the total cases
• Significant attacks against products in various categories, including networking (Fortinet, Cisco, Citrix…), development tools and IDEs (JetBrains, Python libraries…), security (1Password, LastPass…), content management or collaboration tools (WordPress, Atlassian Confluence…), and cloud services (Azure, JumpCloud…)