State-linked Russian operators have continued to refine two complementary approaches that put European diplomats and their credentials at acute risk: APT29’s targeted diplomatic phishing and post compromise abuse of Windows credential roaming, and APT28’s use of compromised SOHO routers to harvest authentication material and stage relay attacks. Understanding both tradecraft lines is essential for defensible controls that protect people, accounts, and the network perimeter.

APT29 has repeatedly weaponized diplomatic themes and event lures to deliver staged payloads that evade broad collection and analysis. The group’s ROOTSAW HTML smuggling family was used to hide first stage JavaScript droppers and to deliver downloaders such as MUSKYBEAT and ICEBEAT. In 2023 researchers observed robust server side filtering added to ROOTSAW variants, including user agent and IP checks, so that only vetted victims receive the real payload while others are served decoy documents. This filtering and the move toward hosting first stage payloads on compromised web servers make bulk collection and sandboxing far less effective.

Beyond delivery technique, APT29 has shown an appetite for living-off-the-land abuse of Windows Active Directory features. In a documented early 2022 incident, the actor exploited the lesser known Windows Credential Roaming mechanism and triggered atypical LDAP queries against msPKI-related attributes. Researchers found an arbitrary file write condition tied to credential roaming that could be weaponized to achieve remote code execution if systems remained unpatched. This is not a theoretical curiosity for diplomats. Credential roaming stores user credential blobs inside AD attributes and those attributes can become an attack surface when defenders do not know to monitor them.

APT28’s operational profile has focused on using compromised Ubiquiti EdgeRouter devices and other SOHO routers as covert infrastructure. By leveraging default or weak credentials and installing trojans such as Moobot, the actor gained root on routers and used them to collect credentials, proxy traffic, host spearphishing landing pages, and stage NTLM relay workflows. APT28 actors have also exploited a critical Outlook flaw that allowed the exfiltration of NTLMv2 digests for relay attacks. The operational result is a low-cost, high-reach capability to harvest or validate credentials belonging to high value webmail and mail users.

What defenders in diplomatic missions must accept now is that attackers combine authentic-looking lures with covert infrastructure and feature abuse to bypass naive protections. Counters must be layered and practical. Below are prioritized, actionable controls and detection steps that reduce risk for diplomats and their IT teams.

High priority mitigations

  • Patch and harden first. Ensure Windows hosts and Active Directory domain controllers have applied the September 13, 2022 fixes for CVE-2022-30170 and that all Outlook and Exchange updates addressing CVE-2023-23397 are deployed where relevant. Patch management reduces the most straightforward privilege escalation and digest-exfiltration paths.

  • Remove or restrict Credential Roaming where not needed. If your environment does not rely on Windows Credential Roaming, disable the functionality. Where it must remain enabled, audit ms-PKI* attributes and restrict write permissions to a small set of administrative accounts. Hunting for unexpected writes to msPKIAccountCredentials is a concrete detection hypothesis.

  • Enforce modern authentication and strong MFA. Move services and accounts off legacy authentication paths that accept NTLM where possible. Require phishing-resistant MFA for privileged and high risk accounts. Reducing the value of harvested digests and passwords is the single most effective way to blunt these campaigns.

Router and infrastructure hygiene

  • Treat SOHO and branch routers as part of the trust boundary. Reset, update firmware, and replace routers that cannot be patched to the latest supported firmware. Change default credentials and remove exposed remote management interfaces from WAN where possible. The joint advisory tied many intrusions to routers that retained default or weak credentials.

  • Factory reset compromised devices. When indicators of compromise exist on EdgeRouters, a full factory reset is recommended rather than just configuration changes. Inspect router file systems where possible for actor scripts and keys. The investigative playbook used in public disclosures includes searching for custom Python scripts and OpenSSH trojans on the router file system.

Email and endpoint controls

  • Tighten email hygiene. Implement advanced link protection, URL rewriting, and remote content detonation to stop HTML smuggling and chained ISO or LNK payloads from reaching endpoints intact. Configure email gateways to block or quarantine ISO, LNK, and unexpected archive types when arriving from external senders, and apply contextual policies for invites and calendar-style lures.

  • Apply endpoint containment and EDR rules for staging behaviors. Look for processes creating HTML files to disk from PDFs, or suspicious write-behavior that drops ISO files or LNK objects. Detect execution patterns where a benign binary executes a DLL from a decompressed archive. These behaviors match the delivery chains observed in ROOTSAW-based campaigns.

Detection and hunting

  • Hunt for anomalous LDAP queries and msPKI attribute access. Mandiant documented atypical LDAP activity in the APT29 case. Create detection rules that alert on unusual msPKIAccountCredentials writes or unexpected large volume reads of ms-PKI attributes. Correlate LDAP anomalies with endpoint alerts for suspicious file writes.

  • Monitor for proxying and unusual outgoing flows from router IPs. APT28 used compromised routers as reverse proxies and C2 hops. Network telemetry that flags unexpected application layer connections, unusual use of iptables or unexpected reverse SSH tunnels, or traffic to anti-captcha APIs used by attackers to validate webmail logins can be high fidelity indicators. Block or escalate contacts with known malicious support APIs where possible.

Operational hygiene and people

  • Train for credential harvesting playbooks. Diplomats and staff are frequent targets of event-based lures. Regular, realistic phishing simulations that include calendar invites, PDF attachment lures, and archive-based payloads raise the baseline resistance of staff. Emphasize reporting over punishment so suspicious messages are triaged quickly.

  • Presume compromise and practice containment. Given the sophistication observed in these actors, defenders should assume initial access will occur. Regular tabletop exercises that rehearse containment of a phish-initiated foothold and safe rebuild procedures for mail and endpoint services keep downtime and data loss to a minimum.

Final notes and risk tradeoffs

Attackers remain creative. APT29’s server side filtering and ROOTSAW variants make bulk collection harder and reduce the utility of signature only defenses, while APT28’s router-based infrastructure shows that threats often live outside the corporate network in unmanaged appliances. Defense requires thoughtful configuration of long overlooked systems, better telemetry around Active Directory internals, and investments in phishing-resistant authentication and modern email defenses. The cleanest and fastest reduction of risk is patching, disabling unneeded features like credential roaming, and treating routers and branch devices as first class security assets.

If you are responsible for a diplomatic or ministry network, start by inventorying every router on your external perimeter, verify firmware and credential posture, and then turn to AD hygiene reviews focused on ms-PKI attributes and LDAP behavior. Those steps will close the most direct doors these actors have relied on in recent campaigns.