NATO and EU Condemn APT28’s Cyber Espionage Operations

May 5, 2024

Both NATO and the European Union have issued statements condemning the cyber espionage activities conducted by the APT28 threat actor, which is linked to Russia. This actor has been targeting various European nations. The Federal Government of Germany has strongly denounced the long-term espionage campaign led by APT28 against the Executive Committee of the Social Democratic Party of Germany.

The German Bundesregierung announced, “The Federal Government’s national attribution procedure regarding this campaign has concluded that, for a relatively long period, the cyber actor APT28 used a critical vulnerability in Microsoft Outlook that remained unidentified at the time to compromise numerous email accounts.” APT28 exploited the zero-day flaw, CVE-2023-23397, in its attacks against European entities from April 2022 onwards. The group also targeted NATO entities and Ukrainian government agencies.

The exploited vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass. The APT28 group had been exploiting this vulnerability in attacks aimed at European NATO members, as reported by Palo Alto Networks’ Unit 42 researchers in December 2023. The researchers highlighted that the APT group targeted at least 30 organizations within 14 nations that are likely of strategic intelligence significance to the Russian government and its military.

In March 2023, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability, CVE-2023-23397. The nation-state actor primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East in attacks detected by Microsoft’s Threat Intelligence towards the end of 2023. According to Unit 42, APT28 began exploiting the vulnerability in March 2022.

The researchers found that the nation-state actor continued to use a publicly known exploit for the Outlook flaw in the second and third campaigns. This suggests that the benefits gained from the access and intelligence gathered from these operations outweighed the potential consequences of being discovered. The list of targets is extensive, and Microsoft’s Threat Intelligence also warned of the Russia-linked cyber-espionage group APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

The French National Agency for the Security of Information Systems ANSSI warned in October that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, research institutes, and think tanks. The French agency observed that the threat actors employed various techniques to evade detection.

The German government recently announced that the APT28 campaign targeted government authorities, logistics companies, armaments, the air and space industry, IT services, foundations, and associations in Germany, other European countries, and Ukraine. The group was also responsible for the 2015 cyber attack on the German Bundestag. These actions violate international cyber norms and require special attention, especially in election years.

The Council of the European Union, the governments of the United States, and the United Kingdom, along with NATO, issued similar condemnations. The Council of the European Union stated, “The European Union and its Member States, together with international partners, strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.”

The APT28 group, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been active since at least 2007 and has targeted governments, militaries, and security organizations worldwide. The group was also involved in the string of attacks that targeted the 2016 Presidential election.

Related News

• Russian Hackers Launch Widespread Cyberattacks Targeting Global Intelligence
• APT28 Cyber Threat Group Expands Phishing Campaigns Globally
• APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA

Latest News

• China-Linked Actors Suspected in ArcaneDoor Cyber Espionage Targeting Network Devices
• Goldoon Botnet Exploits Old D-Link Router Vulnerability for Further Attacks
• Active Exploitation of GitLab Vulnerability: CISA Issues Warning
• Rise in USB-Based Cyberattacks on Operational Technology Systems
• Newly Discovered R Programming Language Vulnerability Could Lead to Supply Chain Attacks