December 7, 2023 at 05:26PM
Russian APT28 hackers exploited a Microsoft Outlook zero-day (CVE-2023-23397) to target European NATO members and a NATO corps. Over 20 months, they attacked at least 30 organizations in 14 countries. Despite the patch in 2023, they continued using it for credential theft and lateral network movement. Unit 42 linked the attacks to Russia’s GRU, with a focus on government, military, and critical infrastructure. Other nations, including France and the UK, also reported similar attacks, attributing them to Russian-affiliated groups. The US offers a $10 million reward for information on these hackers.
Meeting Takeaways:
1. Russian military hackers, known as APT28, used a Microsoft Outlook zero-day exploit to target NATO member countries in Europe.
2. APT28, also tracked as Fighting Ursa, Fancy Bear, and Sofacy, is linked to Russia’s GRU and has conducted three campaigns over 20 months against 30 organizations in 14 nations.
3. Their activities began three weeks after Russia’s invasion of Ukraine, initially targeting Ukraine’s State Migration Service in March 2022.
4. Between April and December 2022, APT28 breached European government, military, energy, and transportation sectors, gathering intelligence to support Russia’s Ukraine invasion.
5. Microsoft patched the zero-day (CVE-2023-23397) in March 2023, but the hackers continued to use the exploit to steal credentials and move laterally within networks.
6. A new Outlook vulnerability (CVE-2023-29324) emerged in May, expanding the attack surface.
7. All targeted nations are NATO members, with at least one NATO Rapid Deployable Corps attacked.
8. APT28’s targeting scope includes defense, foreign affairs, internal affairs, and critical infrastructure organizations in energy, pipeline operations, and transportation.
9. The repeated use of known exploits by APT28 suggests the value of the intelligence gained exceeds the risks of being discovered.
10. France’s cybersecurity agency reported attacks on a wide range of organizations in France using the same Outlook flaw.
11. The UK and Five Eyes intelligence linked the Callisto Group to Russia’s FSB and thwarted their surveillance attacks by disabling Microsoft accounts.
12. The U.S. government is offering a $10 million reward for information on Callisto Group members and their activities.