Embassies targeted in ongoing spearphishing campaign that weaponized Microsoft Excel files

Hackers filled emails U.S. State Department logos and “Top Secret” labels to trick victims into believing they were legitimate.
microsoft excel

Embassies around the world have been targeted in a recent spate of spearphishing email attacks from Russian hackers, according to a new report from researchers at Check Point Technologies.

The emails, which the hackers filled with U.S. State Department logos and “Top Secret” labels to trick victims into believing they were legitimate, were actually laced with malicious Microsoft Excel files. The documents were capable of leveraging a trojanized version of remote access software, TeamViewer, to gain control of infected computers.

After gaining access and control, the hackers’ code allowed them to take screenshots of the victims’ PCs, allowing the hackers to steal victims’ usernames and login credentials.

They’ve had access to “everything,” Check Point’s Threat Intelligence Group Manager Lotem Finkelsteen tells CyberScoop. “Databases, personal data, documents, networks, other devices connected. They have full access to the infected device.”


The hackers succeeded in gaining full control of many of the computers they targeted, including in embassies run by Bermuda, Guyana, Liberia, Lebanon and Nepal.  The hackers were unsuccessful in attacks targeting embassies belonging to Italy and Kenya, according to Finkelsteen.

All of the targeted embassies are located in Europe, according to researchers. This could mark a new phase for the attackers, who have previously focused on mostly Russian-speaking targets.

This is not the first time these hackers have attacked — but they were more targeted in their approach this time. For instance, the files and emails the hackers sent were tailored to individuals and their roles and interests, Finkelsteen tells CyberScoop.

“This is the first time [they’re] doing targeted attacks,” Finkelsteen said. “They were targeting much broader” intentions in previous hacks.

Victims would not necessarily be aware they were infected because the attackers’ code concealed the TeamViewer interface. Likewise, screenshots that were taken were systematically deleted.


They also narrowed their campaign to target government finance officials, so it’s possible the hackers had a financial motive.

“We think that one possible explanation is the financial gain they’re trying to gain out of this attack. In this case we suspect that [the attack is] trying to gain access to high-profile bank accounts,” Finkelsteen said.

Despite the narrow targeting, Check Point researchers assess that it is likely not state-sponsored given the fact that it is “not after a specific region and the victims came from different places in the world.”

The hackers were even careless at some points in the operation — for instance, some parts of the malicious Excel sheets contained Cyrillic letters, and in some cases had instructions on how to run them in fluent Russian. Check Point researchers believe the person behind the attack may have even exposed some of the attack methods in online forums while seeking advice about hacking under the username “EvaPiks.”

The campaign is ongoing, so the hackers’ motive in targeting these officials is unclear. The financial credentials and databases could just be “leveraged to something else that has nothing to do with money,” Finkelsteen said.


Of particular concern is the fact that the trojanized TeamViewer could allow the attacker to launch additional payloads to move the attack to a new phase, but Check Point researchers have not yet identified any new attack vectors.

“We suspect this is not the last stage,” Finkelsteen said.

The Verge first reported on Check Point research.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts