May 9th, 2024 | Updated on November 4th, 2025
Czechia and Germany disclosed on Friday that they were the targets of an extensive cyber espionage campaign orchestrated by the Russia-linked nation-state actor known as APT28, drawing condemnation from various quarters including the European Union (E.U.), the North Atlantic Treaty Organization (NATO), the U.K., and the U.S.
The Ministry of Foreign Affairs (MFA) of the Czech Republic, in an official statement, revealed that certain undisclosed entities within the country fell victim to cyber attacks exploiting a security vulnerability in Microsoft Outlook, which was discovered early last year.
The MFA emphasized the severity of cyber attacks aimed at political entities, state institutions, and critical infrastructure, stressing that such incidents not only endanger national security but also undermine the very democratic processes upon which our free society is built.
The specific security flaw in focus, identified as CVE-2023-23397, represented a critical privilege escalation vulnerability in Outlook, now patched, which could potentially enable malicious actors to obtain Net-NTLMv2 hashes. These hashes could then be leveraged in relay attacks to authenticate unauthorized access.
Germany’s Federal Government (Bundesregierung) attributed the cyber threat to an attack targeting the Executive Committee of the Social Democratic Party, exploiting the same Outlook vulnerability over an extended duration. This exploit allowed the threat actor to compromise numerous email accounts within the organization.
The cyber campaign extended its reach across various industry verticals, including logistics, armaments, the aerospace industry, IT services, as well as foundations and associations.
The Bundesregierung implicated the group in the 2015 cyber attack on the German federal parliament (Bundestag), underscoring the breadth and persistence of their activities.
APT28, believed to be associated with Military Unit 26165 of the Russian Federation’s military intelligence agency GRU, is recognized across the cybersecurity landscape under multiple aliases, including BlueDelta, Fancy Bear, and others.
Recently, Microsoft identified the same hacking group as responsible for exploiting a zero-day vulnerability (CVE-2022-38028) in the Microsoft Windows Print Spooler component.
This exploit facilitated the deployment of a previously unidentified custom malware named GooseEgg, targeting governmental, non-governmental, educational, and transportation sector organizations across Ukraine, Western Europe, and North America.
NATO has strongly condemned Russia’s hybrid actions, describing them as a threat to Allied security. The Council of the European Union echoed similar sentiments, condemning Russia’s persistent pattern of irresponsible behavior in cyberspace.
The U.K. government, in response to the recent cyber activities attributed to APT28, expressed concerns over the Russian Intelligence Services’ systematic efforts to undermine democratic processes globally.
The U.S. Department of State reiterated its stance against APT28’s malicious activities, emphasizing its commitment to safeguarding allies and partners and upholding the rules-based international order, particularly in cyberspace.
In February, coordinated law enforcement efforts disrupted a botnet consisting of hundreds of small office and home office (SOHO) routers in the U.S. and Germany, suspected to have been exploited by APT28 actors.
These routers were allegedly used to obfuscate the group’s malicious activities, including the exploitation of CVE-2023-23397 against high-value targets.
According to a report by cybersecurity firm Trend Micro, the third-party criminal proxy botnet has been active since 2016, comprising various devices such as Linux-based routers, Raspberry Pi devices, and virtual private servers (VPS).
Despite efforts to dismantle the botnet, technical challenges and legal constraints have hindered comprehensive cleanup efforts.
Russian state-sponsored cyber threats, including data theft, destructive attacks, DDoS campaigns, and influence operations, continue to pose significant risks to elections in regions like the U.S., the U.K., and the E.U. Various threat groups, including APT28, APT29, and others, have been identified as potential actors in these activities.
In 2016, APT28, affiliated with the GRU, compromised U.S. Democratic Party organizations and orchestrated a leak campaign ahead of the U.S. Presidential election, as detailed by researchers Kelli Vanderlee and Jamie Collier.
Recent data from Cloudflare and NETSCOUT indicates a surge in DDoS attacks targeting Sweden following its NATO acceptance, reminiscent of similar patterns observed during Finland’s NATO accession in 2023.
The identified groups behind these attacks include politically motivated entities such as NoName057 and Anonymous Sudan, among others, supporting Russian ideals.
A report by the European Union Agency for Cybersecurity (ENISA) highlights the increasing geopolitical motivations behind DDoS attacks, citing recent armed conflicts worldwide as influencing factors. This trend allows threat actors to select targets with impunity, escalating cyber tensions.
Against this backdrop, government agencies from Canada, the U.K., and the U.S. have collaborated to release a joint fact sheet aimed at securing critical infrastructure organizations from ongoing attacks perpetrated by pro-Russia hacktivists.
These attacks primarily target industrial control systems (ICS) and operational technology (OT) systems, posing risks to sectors such as water management, energy, and transportation.
The pro-Russia hacktivist groups exploit vulnerabilities in ICS equipment, including publicly exposed internet-facing connections and factory default passwords associated with human machine interfaces (HMIs).
This enables them to gain remote access and manipulate critical parameters, posing physical threats to insecure OT environments.
To mitigate these risks, recommendations include enhancing the security of HMIs, restricting internet exposure of OT systems, enforcing strong and unique passwords, and implementing multi-factor authentication across OT networks.
The alert underscores the threat posed by hacktivist groups targeting modular, internet-exposed ICS components, such as HMIs, through tactics like exploiting VNC remote access software and default passwords.
These activities highlight the urgent need for enhanced cybersecurity measures to safeguard critical infrastructure from evolving threats.
