Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets

February 2, 2024

From April 2022 to November 2023, Russian state-sponsored hackers, identified as APT28, have been conducting NTLM v2 hash relay attacks on high-value organizations worldwide. The group has targeted a variety of sectors, including foreign affairs, energy, defense, and transportation, as well as those dealing with social welfare, finance, and local government. Cybersecurity firm Trend Micro has described these attacks as a 'cost-efficient method of automating attempts to brute-force its way into the networks' of these targets. The firm suggests that the adversary may have compromised thousands of email accounts over time.

APT28, which is also known by a variety of other names, such as Blue Athena, Fancy Bear, and Pawn Storm, among others, is believed to have been active since 2009. The group is reportedly operated by Russia's GRU military intelligence service and is known for orchestrating spear-phishing attacks containing malicious attachments to activate infection chains. In April 2023, APT28 was implicated in attacks that exploited now-patched vulnerabilities in networking equipment from Cisco to conduct reconnaissance and deploy malware against select targets.

In December, the group exploited a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831, CVSS score: 7.8) to access a user's Net-NTLMv2 hash and use it to stage an NTLM Relay attack against another service to authenticate as the user. An exploit for CVE-2023-23397 was reportedly used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.

The group has also been seen using lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. They have also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers like OCEANMAP, MASEPIE, and STEELHOOK.

A notable aspect of the group's attacks is their continuous efforts to refine their operational playbook and evade detection. This includes the use of anonymization layers such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers for scanning and probing activities. Another tactic involves sending spear-phishing messages from compromised email accounts over Tor or VPN.

Security researchers Feike Hacquebord and Fernando Merces noted that 'Pawn Storm has also been using EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites.' They also observed that part of the group's post-exploitation activities involve modifying folder permissions within the victim's mailbox, enhancing persistence. Using the victim's email accounts, lateral movement is possible by sending additional malicious email messages from within the victim organization.

It is currently unclear if the threat actor themselves breached these routers, or if they are using routers that were already compromised by a third-party actor. However, it is estimated that at least 100 EdgeOS routers have been infected. Additionally, recent credential harvesting campaigns against European governments have used bogus login pages mimicking Microsoft Outlook that are hosted on webhook[.]site URLs, a pattern previously attributed to the group.

In an October 2022 phishing campaign, the group singled out embassies and other high-profile entities to deliver a 'simple' information stealer via emails that captured files matching specific extensions and exfiltrated them to a free file-sharing service named Keep.sh.

The researchers noted that 'The loudness of the repetitive, oftentimes crude and aggressive campaigns, drown out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that might occur once Pawn Storm gets an initial foothold in victim organizations.'

In related news, Recorded Future News revealed an ongoing hacking campaign undertaken by the Russian threat actor COLDRIVER (aka Calisto, Iron Frontier, or Star Blizzard) that impersonates researchers and academics to redirect prospective victims to credential harvesting pages.

Related News

• APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA
• UAC-0099 Exploits WinRAR Vulnerability to Launch LONEPAGE Malware Attacks on Ukrainian Firms
• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation
• Emerging Details on Zero-Click Outlook Remote Code Execution Exploits
• Russian APT28 Exploits Outlook Flaw to Target EU NATO Members

Latest News

• CISA Instructs Federal Agencies to Disconnect Ivanti VPN Instances Amidst Zero-Day Exploits
• FritzFrog Botnet Targets Unpatched Internal Hosts via Log4Shell Exploitation
• Apple Addresses Vision Pro Security Flaw, CISA Highlights iOS Vulnerability Exploitation
• Global Container Escapes Enabled by 'Leaky Vessels' Cloud Bugs
• Public Release of Exploit for Android Privilege Elevation Flaw Affecting Seven OEMs