At least 40 advanced persistent threat (APT) groups have trailed their sights on several European countries over the years, and that isn’t surprising, given that the continent serves as the headquarters of renowned international organizations like the European Union Agency for Law Enforcement Cooperation (Europol), INTERPOL, and the North Atlantic Treaty Organization (NATO).

In response, the WhoisXML API research team recently analyzed six APT groups that have targeted European countries in a bid to identify as many threat artifacts as possible.

Download our white paper “A Study of APT Groups Known for Targeting European Countries” to explore our complete insights that leverage comprehensive WHOIS and passive DNS data.

Methodology

Our latest APT group report, this time focusing on malicious actors hoping to spy on nations and organizations based in Europe, features six groups—APT28, BackdoorDiplomacy, Kimsuky, MoustachedBouncer, Muddy Water, and ToddyCat.

We began our study by looking for APT groups that launched campaigns against European countries and institutions. Forty such groups were listed on the MITRE ATT&CK page, which were filtered using two criteria:

• Groups that launched attacks targeting European countries from 2023 onward
• Groups active in 2023 onward in other regions (e.g., Asia-Pacific, etc.) yet targeted European countries in the past

WHOIS History API queries were then performed for the APT groups for which domains were identified as indicators of compromise (IoCs) to look for email addresses in their historical WHOIS records. Email addresses tagged as IoCs for some of the groups were added to the final lists.

To obtain insightful email-connected artifacts, we separated the public from privacy-protected email addresses and queried the public ones on:

• Reverse WHOIS API to obtain domains containing the email addresses in their current WHOIS records
• DRS Reverse WHOIS Search to collate domains containing the email addresses in their historical WHOIS records

That left us with a final list of six APT groups for our study. After obtaining email artifacts for the groups, we used Screenshot API to determine if any of the connected artifacts remained accessible.

Finally, we looked deeper into four APT groups for which IP addresses were named as IoCs using data from Premium DNS Database.

Preview of Study Findings

Our study of the six APT groups targeting Europe yielded these findings:

• 50+ domains containing the public email addresses in their current WHOIS records
• 12,200+ domains containing the public email addresses in their historical WHOIS records
• 2,500+ email-connected domains that remain active as of the paper’s writing
• 15,100+ fully qualified domain names (FQDNs) hosted on the IP addresses identified as IoCs for four of the six APT groups under 1,000+ root domains

Get a glimpse of an extract from our white paper showcasing our findings for BackdoorDiplomacy.

A Closer Look at BackdoorDiplomacy

BackdoorDiplomacy, an APT group believed to be based in China, has been around since at least 2017. While it most recently targeted Southeast Asian governments using an upgraded version of the EAGERBEE malware, it also went after foreign affairs ministries and telecommunications companies in Europe, Africa, the Middle East, and Asia in 2021.

Jumping off 14 domains identified as IoCs for the group’s latest attack, we found 39 email addresses in their historical WHOIS records, 10 of which turned out to be public. Reverse WHOIS searches for these email addresses led to the discovery of:

• 26 email-connected artifacts based on current WHOIS records
• 12,018 email-connected artifacts based on historical WHOIS records

Pivoting off 38 IP addresses tagged as IoCs, meanwhile, Premium DNS Database enabled us to find 14,318 FQDNs under 1,071 root domains. Note, too, that these FQDNs were last visited between August 2023 and July 2024.

Want to check out all findings of our study? Download our complete white paper “A Study of APT Groups Known for Targeting European Countries” now.