Russian Military Hackers Target NATO Fast Reaction Corps

Cyber Security Threat Summary:
APT28, a group of Russian military hackers have been exploiting a Microsoft Outlook zero-day (CVE-2023-23397) since March 2022 to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Over the course of 20 months, researchers at Palo Alto Networks’ Unit 42 have observed this group launch three different campaigns targeting at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government. Despite Microsoft releasing patches for CVE-2023-23397 one year later in March 2023, the actors have continued to leverage exploits for the flaw, allowing them to steal credentials and move laterally across compromised networks. What’s more, a bypass (CVE-2023-29324) was released in May for the patches, which impacted all supported versions of Windows, increasing the overall attack scope.

Security Officer Comments:
Since Russia’s invasion of Ukraine, APT28 has been actively launching attacks against Ukraine and its NATO allies. The goal of these attacks is to steal intelligence and disrupt critical infrastructure organizations involved in energy production, pipeline infrastructure operations, material handling, personnel, air transportation, etc., with the aim of providing Russia an advantage in the ongoing conflict. In light of this, it is imperative for governments and critical infrastructure providers to stay up to date on the latest tactics employed by APT28, patch known vulnerabilities like CVE-2023-23397, and configure endpoint protections to defend against potential attacks.