Analysis Summary

Following the recent disclosure by Czechia and Germany, the European Union (EU), NATO, the United Kingdom, and the United States denounced the long-term cyber espionage campaign carried out by the Russian nation-state actor known as APT28.

A security vulnerability in Microsoft Outlook that was discovered last year was used to attack certain unidentified organizations in the Czech Republic, according to a statement from the Ministry of Foreign Affairs (MFA) of the Czech Republic. Cyberattacks that target governmental institutions, political organizations, and vital infrastructure pose a threat to national security as well as to the democratic processes.

This particular security vulnerability is CVE-2023-23397, a major privilege escalation flaw in Outlook that has since been patched. It may provide an adversary access to Net-NTLMv2 hashes, which they could then use to authenticate themselves using a relay attack.

The threat actor was linked by Germany's Federal Government (Bundesregierung) to a cyberattack that targeted the Social Democratic Party's Executive Committee and used the same Outlook vulnerability for a considerable amount of time, giving it access to several email accounts. The Bundesregierung has also linked the group to the 2015 attack on the German federal parliament (Bundestag). Among the industry verticals targeted by the campaign are logistics, armaments, the air and space industry, IT services, foundations, and associations situated in Germany, Ukraine, and Europe.

APT28 is also being monitored by the larger cybersecurity community under the names BlueDelta, Fancy Bear, Forest Blizzard (previously Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422. It is estimated that APT28 is associated with Military Unit 26165 of the Russian Federation's military intelligence agency GRU.

Microsoft said last month that the APT group was responsible for using a Microsoft Windows Print Spooler component (CVE-2022-38028, CVSS score: 7.8) as a zero-day to distribute a custom malware that was previously unidentified, named GooseEgg, which was then used to infiltrate government, non-governmental, educational, and transportation sector organizations in Ukraine, Western Europe, and North America.

According to NATO, the security of its allies is at risk due to Russia's hybrid tactics. The European Union Council also voiced its opinion, claiming that Russia's persistent pattern of careless behavior in cyberspace is demonstrated by the malicious cyber campaign. Targeting the German Social Democratic Party executive, among other recent actions by APT28, is part of an established pattern of behavior by the Russian Intelligence Services to sabotage democratic processes worldwide.

APT28 is known to engage in malevolent, devious, destabilizing, and disruptive activities, according to the U.S. Department of State. The organization is dedicated to protecting the security of its allies and partners as well as the rules-based international order, which includes cyberspace. APT28 actors are suspected of using a botnet made up of hundreds of small office and home office (SOHO) routers in the United States and Germany to mask their malicious activities, which include using CVE-2023-23397 against targets of interest. This botnet was taken down earlier in February as a result of a concerted law enforcement effort.

According to a research assessment, elections in countries like the U.S., the U.K., and the E.U. are also anticipated to be severely jeopardized by Russian state-sponsored cyber threat activity, which includes data theft, destructive attacks, DDoS campaigns, and influence operations. These groups include APT44 (also known as Sandworm), COLDRIVER, KillNet, APT29, and APT28.

To lessen the threat posed by these nation-state threat actor groups, it is advised to harden user interfaces on computers, restrict system exposure to the internet, use strong, unique passwords, and introduce multi-factor authentication for all network access.

Impact

• Privilege Escalation
• Cyber Espionage
• Sensitive Data Theft
• Operational Disruption

Indicators of Compromise

CVE

• CVE-2023-23397

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.