Russian APT28 military hackers used Microsoft Outlook zero-day exploits to target multiple European NATO member countries, including a NATO Rapid Deployable Corps.
Researchers from Palo Alto Networks' Unit 42 have observed them exploiting the CVE-2023-23397 vulnerability over roughly 20 months in three campaigns against at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government.
The Russian hackers are also tracked as Fighting Ursa, Fancy Bear, and Sofacy, and they've been previously linked to Russia's Main Intelligence Directorate, the country's military intelligence service.
They started using the Outlook security flaw as a zero-day in March 2022, three weeks after Russia invaded Ukraine, to target the State Migration Service of Ukraine.
Between mid-April and December 2022, they breached the networks of around 15 government, military, energy, and transportation organizations in Europe to steal emails potentially containing military intelligence to support Russia's invasion of Ukraine.
Even though Microsoft patched the zero-day one year later, in March 2023, and linked to a Russian hacking group, APT28 operators continued using the CVE-2023-23397 exploits to steal credentials that allowed them to move laterally through compromised networks.
The attack surface increased even further in May when a bypass affecting all Outlook Windows versions surfaced.
Today, Unit 42 said that among the attacked European nations, all identified countries are current North Atlantic Treaty Organization members, excluding Ukraine.
At least one NATO Rapid Deployable Corps was also targeted.
Beyond European Defense, Foreign Affairs, and Internal Affairs agencies, APT28's focus extended to critical infrastructure organizations involved in energy production and distribution, pipeline infrastructure operations, and material handling, personnel, and air transportation.
In October, the French cybersecurity agency disclosed that Russian hackers used the Outlook security flaw to attack government bodies, corporations, educational institutions, research centers, and think tanks across France.
This week, the United Kingdom and allies part of the Five Eyes intelligence alliance also linked a Russian threat group tracked as Callisto Group, Seaborgium, and Star Blizzard to Russia's 'Centre 18' Federal Security Service division.
Microsoft's threat analysts thwarted Callisto attacks aimed at several European NATO nations by disabling Microsoft accounts used by the threat actors for surveillance and harvesting emails.
The U.S. government now offers a $10 million reward for information on Callisto's members and their activities.
Russian hackers exploiting Outlook bug to hijack Exchange accounts.
Microsoft fixes Outlook zero-day used by Russian hackers since April 2022.
UK and allies expose Russian FSB hacking group, sanction members.
Ukraine says it hacked Russian aviation agency, leaks data.
Gamaredon's LittleDrifter USB malware spreads beyond Ukraine.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 07 Dec 2023 22:25:16 +0000