Russian APT28 Group in New “GooseEgg” Hacking Campaign

APT28, also known as Strontium or Forest Blizzard, is a Russian cyber-espionage group that has been active for years. They have gained notoriety for their sophisticated tactics and have previously been linked to the Russian General Staff Main Intelligence Directorate. Microsoft's recent disclosure revealed that APT28 has been leveraging a newly discovered tool called “GooseEgg” since at least April 2019. This tool exploits a vulnerability in the Windows Print Spooler, specifically CVE-2022-38028, which was initially reported to Microsoft by the NSA and patched in October 2022. By exploiting this vulnerability, APT28 can modify JavaScript files and execute them with system level permissions, allowing them to steal credentials and sensitive information from targeted networks.

The targets of APT28’s recent campaign include organizations in Ukraine, Western Europe, and North America across various sectors such as government, non-governmental organizations, education, and transportation. This highlights the group’s strategic focus on gathering intelligence rather than engaging in destructive attacks.

Security Officer Comments:
CVE-2022-38028 is particularly concerning because it allows attackers to escalate privileges and execute malicious code with system level access. Exploiting this vulnerability proves APT28 with a foothold in targeted networks, facilitating their data theft and reconnaissance operations. Further, GooseEgg the post compromise tool utilized by APT28, not not a complex piece of malware but rather a launcher application. Despite its simplicity, it grants threat actors significant capabilities. It can spawn other applications with elevated permissions, enabling APT28 to execute various follow-on objectives like remote code execution, backdoor installation, and later movement within the network. This versatility makes GooseEgg a concerning tool for carrying out targeted attacks and espionage activities.

Suggested Corrections:


Microsoft recommends the following mitigations defend against attacks that use GooseEgg:
  • Reduce the Print Spooler vulnerability
    • Microsoft released a security update for the Print Spooler vulnerability exploited by GooseEgg on October 11, 2022 and updates for PrintNightmare vulnerabilities on June 8, 2021 and July 1, 2021. Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security. In addition, since the Print Spooler service isn’t required for domain controller operations, Microsoft recommends disabling the service on domain controllers. Otherwise, users can install available Windows security updates for Print Spooler vulnerabilities on Windows domain controllers before member servers and workstations. To help identify domain controllers that have the Print Spooler service enabled, Microsoft Defender for Identity has a built-in security assessment that tracks the availability of Print Spooler services on domain controllers.
  • Be proactively defensive
    • For customers, follow the credential hardening recommendations in our [on-premises credential theft overview]( to defend against common credential theft techniques like LSASS access.
    • Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
    • Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
    • Turn on cloud-delivered protection in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.