Top Russian military hackers target NATO using Microsoft Outlook exploits

APT28 has been quite active as the Ukraine conflict rumbles on

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Between April and December 2022, the NATO Rapid Deployable Corps, a NATO force that can quickly be deployed to command NATO forces, was targeted by Russian state-sponsored hackers.

This is according to cybersecurity researchers Unit 42, a securityarmof Palo Alto Networks, who noted that the hackers were after sensitive data and other valuable intelligence.

A few weeks after the invasion of Ukraine, a threat actor known as APT28 (AKA Fancy Bear, Fighting Ursa) started abusing a zero-day vulnerability inMicrosoftOutlook to target the State Migration Service of Ukraine withmalware. A month later, Unit 42 says, it used the same vulnerability - tracked as CVE-2023-23397, in more campaigns. In total, networks of roughly 15 government, military, energy, and transportation organizations around Europe were targeted. The Russians were after emails with military intelligence, which might aid the country’s war effort.

NATO members under attack

When Microsoft patched the flaw a year later, APT28 was already deep enough, obtained enough credentials, and established enough persistence to keep going. It expanded its campaign in May this year, when it started abusing a separate flaw, tracked as CVE-2023-29324.

Now, Unit 42 claims all of the affected countries are NATO members, and in one instance, even the NATO Rapid Deployable Corps was a target.

“Using a zero-day exploit against a target indicates it is of significant value. It also suggests that existing access and intelligence for that target were insufficient at the time,” Unit 42 said. “In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques. This suggests that the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery.”

“For these reasons, the organizations targeted in all three campaigns were most likely a higher than normal priority for Russian intelligence.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics