Mandiant’s recent findings have raised concerns as they uncover Russia’s APT29 hacking group targeting political parties in Germany, suggesting a potential shift in operational focus beyond traditional diplomatic targets.

According to Mandiant, hackers associated with Russia’s SVR have broadened their scope to include German political parties in a sophisticated malware campaign featuring phishing tactics and a newly identified backdoor named Wineloader.

The attack campaign, documented by Mandiant, includes phishing emails sent to victims under the guise of a dinner reception invitation from Germany’s prominent political party, the Christian Democratic Union (CDU), in early March.

Victims were directed to a malicious ZIP file containing a malware dropper named Rootsaw, hosted on a compromised website controlled by the attackers. This dropper was designed to deploy Wineloader, a previously known backdoor primarily used in attacks targeting diplomatic entities across various countries.

Mandiant’s researchers highlighted that this marks the first instance of the APT29 cluster targeting political parties, signaling a potential expansion of their operational focus beyond conventional diplomatic missions.

The use of German-language lure content further underscores the group’s adaptability and evolving tactics, with Mandiant warning that APT29’s malicious activities are continually evolving in tandem with geopolitical shifts.

In addition to phishing attacks, Mandiant cautions that APT29 is actively targeting cloud-based authentication systems and employing brute force methods like password spraying in campaigns against Western entities.

Known by aliases such as Cozy Bear, the Dukes, and Nobelium, APT29 has been linked to numerous high-profile attacks, including the infamous 2020 SolarWinds supply chain breach.