HQ/EMEAFind out how we can help your business
A sophisticated cyber-espionage campaign conducted by Russian APT28 military hackers uses Microsoft Outlook zero-day exploits to breach the networks of NATO member countries and focuses on the NATO Rapid Deployable Corps.
This campaign, which has been ongoing for approximately 20 months, has employed the exploitation of the CVE-2023-23397 vulnerability in three distinct incidents. The targeted organisation of this campaign is at least 30 institutions based in 14 nations. The Russians selected these targets based on their strategic intelligence, which was significant to their country’s military and government.
This APT28 campaign started after Russia decided to invade Ukraine.
The origins of this APT28 cyber-espionage campaign date back to March 2022, just three weeks after Russia invaded Ukraine. The hackers initially employed the Outlook zero-day exploit to target the State Migration Service of Ukraine, indicating a connection to geopolitical events.
Subsequently, between mid-April and December 2022, they successfully infiltrated the networks of 15 different organisations, from government and military establishments to energy and transportation institutions.
Despite Microsoft deploying an update for the zero-day exploit in March 2023, the APT28 operators continued their attacks, exploiting the CVE-2023-23397 vulnerability to steal credentials and move laterally across their compromised networks. Furthermore, in May, the attackers exploited another Outlook vulnerability (CVE-2023-29324), further broadening their attack scope.
Further investigations also revealed that all identified targeted countries are current NATO members, excluding Ukraine. Additionally, the hackers set their sights on at least one NATO Rapid Deployable Corps, High Readiness Force Headquarters, since it could swiftly deploy commands to NATO forces.
However, the campaign’s focus is not exclusive to defence agencies. Other Russian-backed hackers also target critical infrastructure organisations, such as the energy sector, pipeline infrastructure, material handling, personnel, and air transportation.
The researchers noted that using a zero-day exploit implies the attackers’ targets hold significant value that could help Russia with its interests. In the subsequent campaigns, APT28 continued using a publicly known exploit, indicating that the benefits from their campaign were more important than the risks of public exposure.
Therefore, the targeted organisations of these campaigns have a higher priority for the Russian military hackers since they could contribute to the intelligence that Russia needs to continue their attacks against Ukraine.
