{ "id": "84c8d54a-c934-4df3-a59d-d9577cfdf39c", "created_at": "2026-04-06T00:09:00.151432Z", "updated_at": "2026-04-10T03:36:59.271297Z", "deleted_at": null, "sha1_hash": "6b81bd8bfa0dee6e4e0a7cd1735229067f5be2de", "title": "Poland says Russian military hackers target its govt networks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2762528, "plain_text": "Poland says Russian military hackers target its govt networks\r\nBy Sergiu Gatlan\r\nPublished: 2024-05-09 ยท Archived: 2026-04-05 14:34:11 UTC\r\nPoland says a state-backed threat group linked to Russia's military intelligence service (GRU) has been targeting Polish\r\ngovernment institutions throughout the week.\r\nAccording to evidence found by CSIRT MON, the country's Computer Security Incident Response Team (led by the Polish\r\nMinister of National Defense) and CERT Polska (the Polish computer emergency response team), Russian APT28 state\r\nhackers attacked multiple government institutions in a large-scale phishing campaign.\r\nThe phishing emails tried tricking the recipients into clicking an embedded link that would provide them with access to\r\nmore information regarding a \"mysterious Ukrainian woman\" selling \"used underwear\" to \"senior authorities in Poland and\r\nUkraine.\"\r\nhttps://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOnce clicked, the link redirected them through multiple websites before landing on a page that downloaded a ZIP archive.\r\nThe archive contained a malicious executable disguised as a JPG image file and two hidden files: a DLL and a .BAT script.\r\nIf the target opens the camouflaged executable file, it loads the DLL via DLL side loading, which runs the hidden script. The\r\nscript displays a photo of a woman in a swimsuit in the Microsoft Edge browser as a distraction while simultaneously\r\ndownloading a CMD file and changing its extension to JPG.\r\n\"The script we finally received collects only information about the computer (IP address and list of files in selected folders)\r\non which they were launched, and then send them to the C2 server. Probably computers of the victims selected by the\r\nattackers receive a different set of the endpoint scripts,\" CERT Polska said.\r\nThe tactics and infrastructure used in these attacks are identical to those used in another highly targeted campaign in which\r\nAPT28 operatives used Israel-Hamas war lures to backdoor devices of officials from 13 nations, including United Nations\r\nHuman Rights Council members, with Headlace malware.\r\nAPT28 attack flow (CERT Polska)\r\nSince it surfaced in the mid-2000s, the Russian state-backed hacking group has coordinated many high-profile cyber-attacks\r\nand was linked to GRU's Military Unit 26165 in 2018.\r\nAPT28 hackers were behind hacks of the Democratic National Committee (DNC) and the Democratic Congressional\r\nCampaign Committee (DCCC) before the 2016 U.S. Presidential Election and the breach of the German Federal Parliament\r\n(Deutscher Bundestag) in 2015.\r\nThe United States charged multiple APT28 members for their involvement in the DNC and DCCC attacks in July 2018,\r\nwhile the Council of the European Union sanctioned APT28 in October 2020 for the Bundestag hack.\r\nOne week ago, NATO and the European Union, with international partners, also formally condemned a long-term APT28\r\ncyber espionage campaign against multiple European countries, including Germany and Czechia.\r\nGermany said the Russian threat group compromised many email accounts belonging to members of the Social Democratic\r\nParty's executive committee. The Czech Ministry of Foreign Affairs also revealed that APT28 targeted some Czech\r\ninstitutions in the same Outlook campaign in 2023.\r\nhttps://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/\r\nPage 3 of 4\n\nThe attackers exploited the CVE-2023-23397 Microsoft Outlook vulnerability in the attack, a security flaw used as a zero-day to target NATO members in Europe, Ukrainian government agencies, and NATO fast reaction corps starting in April\r\n2022.\r\n\"We call on Russia to stop this malicious activity and abide by its international commitments and obligations. With the EU\r\nand our NATO Allies, we will continue to take action to disrupt Russia's cyber activities, protect our citizens and foreign\r\npartners, and hold malicious actors accountable,\" the U.S. State Department said in a statement.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/\r\nhttps://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/poland-says-russian-military-hackers-target-its-govt-networks/" ], "report_names": [ "poland-says-russian-military-hackers-target-its-govt-networks" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775792219, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b81bd8bfa0dee6e4e0a7cd1735229067f5be2de.pdf", "text": "https://archive.orkl.eu/6b81bd8bfa0dee6e4e0a7cd1735229067f5be2de.txt", "img": "https://archive.orkl.eu/6b81bd8bfa0dee6e4e0a7cd1735229067f5be2de.jpg" } }