Russian APT28 Exploits Outlook Flaw to Target EU NATO Members

December 8, 2023

The APT28 group, associated with various names such as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been operational since at least 2007. It is linked to the Russian government and its military, specifically the military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The group has a history of targeting governments, militaries, and security organizations globally, including involvement in the 2016 Presidential election attacks.

The group's primary attack methods include spear-phishing and malware-based attacks. In March 2023, Microsoft issued guidance on investigating attacks exploiting the patched Outlook vulnerability identified as CVE-2023-23397. This flaw in Microsoft Outlook allows for authentication bypass, leading to spoofing.

Recent attacks detected by Microsoft’s Threat Intelligence targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East. Unit 42 reports that APT28 began exploiting this vulnerability in March 2022. “During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. The first occurred between March-December 2022 and the second occurred in March 2023.”

A third campaign discovered by Unit 42 researchers was recently active, with Fighting Ursa also exploiting this vulnerability. This latest campaign took place between September-October 2023, targeting at least nine organizations in seven nations. The researchers noted that in the second and third campaigns, the nation-state actor continued to use a publicly known exploit for the Outlook flaw. This suggests that the value of access and intelligence obtained from these operations outweighed the potential risks of detection.

The list of targets is extensive, with Microsoft’s Threat Intelligence also warning of the Russia-linked cyber-espionage group APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive data. In October, France's National Agency for the Security of Information Systems (ANSSI) issued a warning that APT28 has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks. ANSSI noted that the threat actors employed various techniques to evade detection, including compromising low-risk equipment monitored and located at the edge of the target networks. In some instances, the group did not deploy any backdoor in the compromised systems. ANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations.

Related News

• Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts
• Russian APT28 Hackers Breach Critical Networks in France
• Russian Hackers Conducting Widescale Credential-Stealing Attacks, Warns Microsoft
• Zero-Click Windows Vulnerability Allows NTLM Credential Theft
• Microsoft Offers Guidance on Detecting Outlook Zero-Day Exploits

Latest News

• Critical Bluetooth Security Flaw Threatens Multiple Operating Systems
• Critical Adobe ColdFusion Exploit Used to Breach U.S. Government Servers
• Google Addresses Critical Zero-Click RCE in Android's December 2023 Security Updates
• Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts
• Fake WordPress Security Alert Used to Distribute Malicious Plugin