Montenegro targeted ahead of NATO accession

23 June 2017

It has recently been publicly revealed that the group known as APT 28 or Sofacy targeted the Montenegrin government in the run-up to the country’s accession to NATO, something that has been reported on previously in PwC’s subscription threat intelligence reporting. Lure documents with a NATO theme were used in spear phishing campaigns and this threat actor has also previously been seen to register domain names imitating the Montenegrin government.

It is widely held to be a Russia-based threat actor with close alignment to Moscow’s strategic interests. Russia and Montenegro have a history of close cooperation and its entry into NATO has undermined Moscow’s influence in the Balkans region. Montenegro was officially invited to become a member of NATO in May 2016, prompting Moscow to threaten the imposition of sanctions against that country, and bilateral tensions have since increased. Nevertheless, Montenegro formally joined the Alliance on 5th June 2017.

NATO expansion has been a perennial thorn in the side of relations between Russia and the West, and the accession of countries that Moscow views as being within its traditional ‘sphere of influence’ has served to exacerbate these tensions. Looking forward, NATO activities – including both future membership pathways, as well as military manoeuvres – will remain of interest to a variety of threat actors with strategic interest in military activities and geopolitical activity.

Implications of Montenegro cyber targeting

Whilst at first glance it may seem such attacks do not need to be given serious consideration by non-government entities, it is important to remember that threat actors often use an ‘island hopping’ approach when seeking to compromise targets. This threat was highlighted in our recent Operation Cloud Hopper report, which detailed an espionage campaign targeting managed IT service providers.

Threat actors will often look for the easiest way into an organisation and in some instances this may be via the compromise of a third party and then pivoting towards the main target, rather than targeting the intended victim directly. Third parties, for example, may have less rigorous security procedures or inferior capabilities compared to the contracting firm, at the same time as having privileged access to networks or physical facilities.

Threat actors seeking to attack government entities may therefore target service providers, consultants or other professional services with links to the ultimate target in order to make their activity less obvious. Government entities will remain an attractive target to a wide variety of malicious threat actors and it is therefore important to take into account the profiles of other entities you have exposure to – and not just to focus solely on your own operations.


[3] Subscribers to PwC threat intelligence can read more about this in our report CTO-SIB-20160623-01A Strategic Sofacy.



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.