Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German Entities

Cyber Security

Czechia and Germany on Friday revealed that they were the target of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.

The Czech Republic’s Ministry of Foreign Affairs (MFA), in a statement, said some unnamed entities in the country have been attacked using a security flaw in Microsoft Outlook that came to light early last year.

“Cyber attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based,” the MFA said.

The security flaw in question is CVE-2023-23397, a now-patched critical privilege escalation bug in Outlook that could allow an adversary to access Net-NTLMv2 hashes and then use them to authenticate themselves by means of a relay attack.

Germany’s Federal Government (aka Bundesregierung) attributed the threat actor to a cyber attack aimed at the Executive Committee of the Social Democratic Party using the same Outlook vulnerability for a “relatively long period,” allowing it to “compromise numerous email accounts.”

Some of the industry verticals targeted as part of the campaign include logistics, armaments, the air and space industry, IT services, foundations, and associations located in Germany, Ukraine, and Europe, with the Bundesregierung also implicating the group to the 2015 attack on the German federal parliament (Bundestag).

APT28, assessed to be linked to Military Unit 26165 of the Russian Federation’s military intelligence agency GRU, is also tracked by the broader cybersecurity community under the names BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422.

Late last month, Microsoft attributed the hacking group to the exploitation of a Microsoft Windows Print Spooler component (CVE-2022-38028, CVSS score: 7.8) as a zero-day to deliver a previously unknown custom malware called GooseEgg to infiltrate Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations.

NATO said Russia’s hybrid actions “constitute a threat to Allied security.” The Council of the European Union also chimed in, stating the “malicious cyber campaign shows Russia’s continuous pattern of irresponsible behavior in cyberspace.”

“Recent activity by Russian GRU cyber group APT28, including the targeting of the German Social Democratic Party executive, is the latest in a known pattern of behavior by the Russian Intelligence Services to undermine democratic processes across the globe,” the U.K. government said.

The U.S. Department of State described APT28 as known to engage in “malicious, nefarious, destabilizing and disruptive behavior” and that it’s committed to the “security of our allies and partners and upholding the rules-based international order, including in cyberspace.”

Earlier this February, a coordinated law enforcement action disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the U.S. and Germany that the APT28 actors are believed to have used to conceal their malicious activities, such as the exploitation of CVE-2023-23397 against of targets of interest.

According to a report from cybersecurity firm Trend Micro this week, the third-party criminal proxy botnet dates back to 2016 and consists of more than just routers from Ubiquiti, encompassing other Linux-based routers, Raspberry Pi, and virtual private servers (VPS).

“The threat actor [behind the botnet] managed to move over some of the EdgeRouter bots from the C&C [command-and-control] server that was taken down on January 26, 2024, to a newly set up C&C infrastructure in early February 2024,” the company said, adding legal constraints and technical challenges prevented a thorough cleanup of all ensnared routers.

Russian state-sponsored cyber threat activity – data theft, destructive attacks, DDoS campaigns, and influence operations – is also expected to pose a severe risk to elections in regions like the U.S., the U.K., and the E.U. from multiple groups such as APT44 (aka Sandworm), COLDRIVER, KillNet, APT29, and APT28, per an assessment released by Google Cloud subsidiary Mandiant last week.

“In 2016, GRU-linked APT28 compromised U.S. Democratic Party organization targets as well as the personal account of the Democratic presidential candidate’s campaign chairman and orchestrated a leak campaign ahead of the 2016 U.S. Presidential election,” researchers Kelli Vanderlee and Jamie Collier said.

What’s more, data from Cloudflare and NETSCOUT show a surge in DDoS attacks targeting Sweden following its acceptance to the NATO alliance, mirroring the pattern observed during Finland’s NATO accession in 2023.

“The likely culprits of these attacks included the hacker groups NoName057, Anonymous Sudan, Russian Cyber Army Team, and KillNet,” NETSCOUT said. “All these groups are politically motivated, supporting Russian ideals.”

The developments come as government agencies from Canada, the U.K., and the U.S. have released a new joint fact sheet to help secure critical infrastructure organizations from continued attacks launched by apparent pro-Russia hacktivists against industrial control systems (ICS) and small-scale operational technology (OT) systems since 2022.

“The pro-Russia hacktivist activity appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects,” the agencies said. “However, investigations have identified that these actors are capable of techniques that pose physical threats against insecure and misconfigured OT environments.”

Targets of these attacks comprise organizations in North American and European critical infrastructure sectors, including water and wastewater systems, dams, energy, and food and agriculture sectors.

The hacktivist groups have been observed gaining remote access by exploiting publicly exposed internet-facing connections as well as factory default passwords associated with human machine interfaces (HMIs) prevalent in such environments, followed by tampering with mission-critical parameters, turning off alarm mechanisms, and locking out operators by changing administrative passwords.

Recommendations to mitigate the threat include hardening human machine interfaces, limiting exposure of OT systems to the internet, using strong and unique passwords, and implementing multi-factor authentication for all access to the OT network.

“These hacktivists seek to compromise modular, internet-exposed industrial control systems (ICS) through their software components, such as human machine interfaces (HMIs), by exploiting virtual network computing (VNC) remote access software and default passwords,” the alert said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.