Polish government bodies have been targetted this week by Fancy Bear (also known as APT28), a Russian cyber espionage group working on behalf of the Kremlin, according to NASK, a Polish state research institute.
NASK’s computer emergency response team and the defence ministry’s computer security incident response team “observed a large-scale malware campaign targeting Polish government institutions this week”, announced NASK on Wednesday.
“Based on technical indicators and the similarity to past attacks (including on Ukrainian entities), the campaign can be linked to the activities of APT28, which is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU),” NASK added.
⚠️ Ważne! ⚠️
Zespoły @CERT_Polska i @CSIRT_MON zaobserwowały w tym tygodniu szeroką kampanię szkodliwego oprogramowania wymierzoną w polskie instytucje rządowe. Ataki można powiązać z działaniami grupy APT28 kojarzonej z #Rosja.
Szczegóły ➡️ https://t.co/W6UDEMk5Ac pic.twitter.com/o5xi3FrgqX— NASK (@NASK_pl) May 9, 2024
The agency noted that the attempted attacks involved sending an email containing claims about an alleged “mysterious Ukrainian woman in Warsaw” who has connections to the “highest-ranking authorities in Poland and Ukraine”.
It then encouraged the reader to click a link to receive more information about her but which in fact downloaded malware onto their device.
NASK did not reveal which institutions were targeted nor whether they had been compromised. But it included a set of recommendations for network administrations to check whether their organisation’s employees had been subject to such attacks and how to prevent them.
"Poland is in a cyber cold war with Russia," says digital affairs minister @KGawkowski after talks with his Ukrainian counterpart @FedorovMykhailo.
"The cyber threats from Russia towards Poland and Ukraine are very similar" https://t.co/a5ufEMLXyL
— Notes from Poland 🇵🇱 (@notesfrompoland) May 7, 2024
Fancy Bear/APT28 has previously been implicated in attacks on the White House, NATO and Germany’s parliament, among other targets. The group has been identified by various experts and institutions, including the British Foreign Office, as working as part of or on behalf of the GRU.
Earlier this week, Poland’s digital affairs minister, Krzysztof Gawkowski, declared that “Poland is in a cyber cold war with Russia” and has been subject to “very similar” attacks as those faced by Ukraine.
Last year, the then Polish government blamed Russian hackers for a coordinated attack on a number of Polish media websites. It previously also blamed Russia for the hacking and leaking of emails from the then prime minister’s chief of staff.
Notes from Poland is run by a small editorial team and published by an independent, non-profit foundation that is funded through donations from our readers. We cannot do what we do without your support.
Daniel Tilles is editor-in-chief of Notes from Poland. He has written on Polish affairs for a wide range of publications, including Foreign Policy, POLITICO Europe, EUobserver and Dziennik Gazeta Prawna.