EU-based organizations are being targeted by spear phishing campaigns taking advantage of EU political and diplomatic events, according to the bloc’s Computer Emergency Response Team (CERT-EU).
In his Threat Landscape Report 2023published on February 15, 2024, CERT-EU found that lures exploiting the European agenda were commonplace in 2023.
“In recent years, 2023 was the first time we observed so many attacks in a short period (a few months) directly linked to the EU’s political consultation and decision-making structure,” the researchers wrote of CERT-EU.
The threat actors sent spear phishing emails containing malicious attachments, links or decoy PDF files that were originally internal or publicly accessible documents related to EU affairs and policies.
The Chinese-backed threat actor Mustang Panda has used this tactic since at least 2022.
These lures included mentions of the following EU bodies, programs and events:
- Swedish Presidency of the Council of the European Union
- EU Summit – Community of Latin American and Caribbean States (CELAC)
- External Relations Advisors Working Group (RELEX)
- EU LegisWrite (a publishing program of the European Commission)
The threat actors “did not necessarily target the organizations mentioned”, but directed their malicious campaigns towards individuals and organizations involved in EU policies and events and might be tempted to click on the link or the malicious document.
“To make the spear phishing message even more credible, the attackers often posed as staff members of Union entities or public administrations of EU countries,” the report adds.
The main targets of the private sector: diplomacy, defense and transport
Spear phishing remained the most common initial access technique used by malicious actors targeting EU-based organizations in 2023.
Apart from public administration entities, the sectors most targeted by spear phishing campaigns in 2023 were the diplomacy, defense and transport sectors.
CERT-EU has observed the emergence of spear phishing tactics as malicious actors diversify their communication channels, including instant messaging applications and social media.
These included:
- A Union entity reported targeted emails and WhatsApp messages impersonating a unit head of the entity.
- The head of an EU entity was the target of a smishing attack (SMS phishing) aimed at distributing mobile spyware.
Some also combine spear phishing campaigns and information operations.
“We consider that spear phishing operations carried out as a preamble to fuel information operations constitute a major threat to Union entities, particularly in view of the next European elections in May 2024,” we can read in The report.
Other key findings from the CERT-EU 2023 Threat Landscape Report
Other highlights of The report include:
- 80 threat actors targeted EU entities or their surrounding areas in 2023, the vast majority of which came from China or Russia.
- Cyber espionage was the main motivation, accounting for 73% of total cases.
- Emerging diversification in the origin of cyberattacks, driven in part by increased activity by private sector offensive actors (PSOA)
- Ransomware remained the predominant cybercrime activity in 2023, but no significant ransomware breaches affecting EU entities were observed.
- A total of at least 55 ransomware operations and 906 victims, with LockBit responsible for 25% of the total cases.
- Significant attacks against products in various categories, including networking (Fortinet, Cisco, Citrix…), development tools and IDE (JetBrains, Python libraries…), security (1Password, LastPass…), management tools content or collaboration (WordPress, Atlassian Confluence, etc.), and cloud services (Azure, JumpCloud, etc.)