Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps.
Researchers from Palo Alto Networks’ Unit 42 have observed them exploiting the CVE-2023-23397 vulnerability over roughly 20 months in three campaigns against at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia’s military and government.
The Russian hackers are also tracked as Fighting Ursa, Fancy Bear, and Sofacy, and they’ve been previously linked to Russia’s Main Intelligence Directorate (GRU), the country’s military intelligence service.
They started using the Outlook security flaw as a zero-day in March 2022, three weeks after Russia invaded Ukraine, to target the State Migration Service of Ukraine.
Between mid-April and December 2022, they breached the networks of around 15 government, military, energy, and transportation organizations in Europe to steal emails potentially containing military intelligence to support Russia’s invasion of Ukraine.
Even though Microsoft patched the zero-day one year later, in March 2023, and linked to a Russian hacking group, APT28 operators continued using the CVE-2023-23397 exploits to steal credentials that allowed them to move laterally through compromised networks.
The attack surface increased even further in May when a bypass (CVE-2023-29324) affecting all Outlook Windows versions surfaced.
Targets on NATO Rapid Deployable Corps
Today, Unit 42 said that among the attacked European nations, all identified countries are current North Atlantic Treaty Organization (NATO) members, excluding Ukraine.
At least one NATO Rapid Deployable Corps (High Readiness Force Headquarters capable of swift deployment to command NATO forces) was also targeted.
Additionally, beyond European Defense, Foreign Affairs, and Internal Affairs agencies, APT28’s focus extended to critical infrastructure organizations involved in energy production and distribution, pipeline infrastructure operations, and material handling, personnel, and air transportation.
“Using a zero-day exploit against a target indicates it is of significant value. It also suggests that existing access and intelligence for that target were insufficient at the time,” Unit 42 said.
“In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques. This suggests that the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery.
“For these reasons, the organizations targeted in all three campaigns were most likely a higher than normal priority for Russian intelligence.”
In October, the French cybersecurity agency (ANSSI) disclosed that Russian hackers used the Outlook security flaw to attack government bodies, corporations, educational institutions, research centers, and think tanks across France.
This week, the United Kingdom and allies part of the Five Eyes intelligence alliance also linked a Russian threat group tracked as Callisto Group, Seaborgium, and Star Blizzard to Russia’s ‘Centre 18’ Federal Security Service (FSB) division.
Microsoft’s threat analysts thwarted Callisto attacks aimed at several European NATO nations by disabling Microsoft accounts used by the threat actors for surveillance and harvesting emails.
The U.S. government now offers a $10 million reward for information on Callisto’s members and their activities.