Russia-linked APT8 exploited Outlook zero-day to target European NATO members

Pierluigi Paganini December 08, 2023

Russia-linked group APT28 exploited Microsoft Outlook zero-day to target European NATO members, including a NATO Rapid Deployable Corps.

Palo Alto Networks’ Unit 42 reported that the Russia-linked APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) group exploited the CVE-2023-23397 vulnerability in attacks aimed at European NATO members.

Over the past 20 months, the group targeted at least 30 organizations within 14 nations that are probably of strategic intelligence significance to the Russian government and its military.

The APT28 group (aka Fancy BearPawn StormSofacy GroupSednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).

Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.

In March 2023, Microsoft published guidance for investigating attacks exploiting the patched Outlook vulnerability tracked as CVE-2023-23397. The vulnerability is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass.

In recent attacks spotted by Microsoft’s Threat Intelligence, the nation-state actors primarily targeted government, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East.

According to Unit 42, APT28 started exploiting the above vulnerability in March 2022.

“During this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made public. The first occurred between March-December 2022 and the second occurred in March 2023.” reads the report published by the company.

“Unit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also used this vulnerability. The group conducted this most recent campaign between September-October 2023, targeting at least nine organizations in seven nations.”

APT28 Outllok exploit

The researchers pointed out that in the second and third campaigns, the nation-state actor continued to use a publicly known exploit for the Outlook flaw. This implies that the benefits of the access and intelligence produced by these operations were deemed more significant than the potential consequences of being discovered.

The list of targets is very long and includes:

  1. Other than Ukraine, all of the targeted European nations are current members of the North Atlantic Treaty Organization (NATO)
  2. at least one NATO Rapid Deployable Corps
  3. critical infrastructure-related organizations within the following sectors:
    1. Energy
    2. Transportation
    3. Telecommunications
    4. Information technology
    5. Military industrial base

Microsoft’s Threat Intelligence is also warning of Russia-linked cyber-espionage group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”) actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.

In October, the French National Agency for the Security of Information Systems ANSSI (Agence Nationale de la sécurité des systèmes d’information) warned that the Russia-linked APT28 group has been targeting multiple French organizations, including government entities, businesses, universities, and research institutes and think tanks.

The French agency noticed that the threat actors used different techniques to avoid detection, including the compromise of low-risk equipment monitored and located at the edge of the target networks. The Government experts pointed out that in some cases the group did not deployed any backdoor in the compromised systems.

ANSSI observed at least three attack techniques employed by APT28 in the attacks against French organizations:

  • searching for zero-day vulnerabilities [T1212, T1587.004];
  • compromise of routers and personal email accounts [T1584.005, T1586.002];
  • the use of open source tools and online services [T1588.002, T1583.006]. ANSSI investigations confirm that APT28 exploited the Outlook 0-day vulnerability CVE-2023-23397. According to other partners, over this period, the MOA also exploited other vulnerabilities, such as that affecting Microsoft Windows Support Diagnostic Tool (MSDT, CVE-2022-30190, also called Follina) as well as
    than those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT28)

you might also like

leave a comment