APT28 Exploits Outlook Flaw To Hack Czech, German Entities

APT28 Exploits Outlook Flaw To Hack Czech, German Entities

Published on May 10th, 2024

Czechia and Germany disclosed on Friday that they had fallen victim to a prolonged cyber espionage campaign orchestrated by the Russia-linked nation-state actor known as APT28.

This revelation drew swift condemnation from key international players such as the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.

The Czech Republic’s Ministry of Foreign Affairs (MFA) released a statement revealing that several entities within the country had been targeted in cyber attacks. These attacks exploited a security flaw in Microsoft Outlook, which was uncovered early last year.

According to the MFA, cyber assaults on political entities, state institutions, and critical infrastructure pose not only a threat to national security but also disrupt the democratic processes fundamental to our free society.

The specific security vulnerability under scrutiny, CVE-2023-23397, represents a now-patched critical privilege escalation flaw within Outlook. This bug enabled threat actors to access Net-NTLMv2 hashes, subsequently leveraging them for authentication via relay attacks.

Germany’s Federal Government (Bundesregierung) attributed the cyber threat to an attack on the Executive Committee of the Social Democratic Party, leveraging the same Outlook vulnerability over an extended period.

This exploitation led to the compromise of numerous email accounts. Various industry sectors, including logistics, armaments, the air and space industry, IT services, foundations, and associations across Germany, Ukraine, and Europe, were targeted in this campaign.

The Bundesregierung also linked the group to the 2015 attack on the German federal parliament (Bundestag).

APT28, associated with Military Unit 26165 of the Russian Federation’s military intelligence agency GRU, is known by several aliases in the broader cybersecurity community, including BlueDelta, Fancy Bear, and Iron Twilight, among others.

Microsoft recently attributed APT28 to the exploitation of a zero-day vulnerability in the Microsoft Windows Print Spooler component (CVE-2022-38028).

This exploitation facilitated the deployment of a custom malware named GooseEgg, targeting governmental, non-governmental, educational, and transportation sector organizations across Ukraine, Western Europe, and North America.

NATO labeled Russia’s hybrid actions as a threat to Allied security, while the Council of the European Union highlighted the malicious cyber campaign as evidence of Russia’s continuous irresponsible behavior in cyberspace.

The U.K. government condemned the recent activities of the Russian GRU cyber group APT28, citing a pattern of behavior aimed at undermining democratic processes worldwide.

The U.S. Department of State characterized APT28’s actions as malicious, nefarious, and disruptive, reaffirming its commitment to the security of allies and the rules-based international order, including in cyberspace.

Earlier this year, a coordinated law enforcement action dismantled a botnet comprising hundreds of small office and home office (SOHO) routers in the U.S. and Germany, believed to be utilized by APT28 actors to obscure their malicious activities. These actors had exploited CVE-2023-23397 against targets of interest.

According to a report from cybersecurity firm Trend Micro, this third-party criminal proxy botnet, established in 2016, includes routers from Ubiquiti and other Linux-based routers, Raspberry Pi devices, and virtual private servers (VPS).

Despite efforts, legal constraints and technical challenges hindered a complete cleanup of all compromised routers.

Russian state-sponsored cyber threat activity, encompassing data theft, destructive attacks, DDoS campaigns, and influence operations, poses a significant risk to elections in regions such as the U.S., the U.K., and the E.U.

This assessment was released by Google Cloud subsidiary Mandiant, implicating multiple threat groups, including APT28, APT29, and others.

In 2016, APT28 compromised U.S. Democratic Party targets and orchestrated a leak campaign ahead of the presidential election, as highlighted by researchers Kelli Vanderlee and Jamie Collier.

Additionally, data from Cloudflare and NETSCOUT indicates a surge in DDoS attacks targeting Sweden following its acceptance into the NATO alliance, reminiscent of similar events during Finland’s NATO accession in 2023.

NETSCOUT identified several politically motivated hacker groups, including NoName057 and Anonymous Sudan, involved in these attacks, aligning with Russian ideals.

According to a report by the European Union Agency for Cybersecurity (ENISA), released in December 2023, DDoS attacks are increasingly driven by warfare and geopolitical motivations.

This landscape is influenced by recent armed conflicts, allowing threat actors to select targets without fear of repercussions.

In response to continued attacks by pro-Russia hacktivists against industrial control systems (ICS) and small-scale operational technology (OT) systems, government agencies from Canada, the U.K., and the U.S. have issued a joint fact sheet.

These attacks, largely employing unsophisticated techniques, aim to create nuisance effects but also possess the potential for physical threats against insecure and misconfigured OT environments.

The targeted critical infrastructure sectors include water and wastewater systems, dams, energy, and food and agriculture.

Recommendations to mitigate these threats include strengthening human machine interfaces, limiting exposure of OT systems to the internet, enforcing strong and unique passwords, and implementing multi-factor authentication for all OT network access.

The pro-Russia hacktivist groups seek to compromise modular, internet-exposed ICS through exploitation of software components such as human machine interfaces (HMIs) and default passwords, posing significant challenges to the security of critical infrastructure.