The Czech Republic and Germany revealed on Friday that they were the targets of a long-running cyber espionage campaign by the Russia-linked nation-state group APT28, a move that drew condemnation from the European Union (EU) and the North Atlantic Treaty Organization (NATO).USA
The Czech Republic’s Ministry of Foreign Affairs (MFA) said in a statement that unnamed entities in the country were attacked as a result of a Microsoft Outlook security flaw that came to light early last year.
“Cyber attacks targeting political entities, state institutions and critical infrastructure not only pose a threat to national security but also undermine the democratic processes on which our free societies depend,” the ministry said.
The security vulnerability involved is CVE-2023-23397, a critical privilege escalation vulnerability that has been patched in Outlook and could allow an attacker to access Net-NTLMv2 hash values and then use them to authenticate themselves through a relay attack. identity.
Germany’s federal government (aka the Bundesregierung) has blamed threat actors for a cyberattack targeting the Social Democratic Party’s executive committee that used the same Outlook vulnerability “over a relatively long period of time,” allowing it to “compromise a large number of email accounts.” “.
Some of the industry verticals targeted by the campaign include logistics, armaments, aerospace industry, IT services, foundations and associations based in Germany, Ukraine and Europe, with federal regulators also hinting at the group’s involvement in a 2015 attack on the German Bundestag.
APT28 has been assessed to have ties to military unit 26165 of the Russian federal military intelligence agency GRU, and is also known by the wider cybersecurity community as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit , Sofacy and TA422.
Late last month, Microsoft attributed a hacker group to exploiting the Microsoft Windows Print Spooler component (CVE-2022-38028, CVSS score: 7.8) as a zero-day vulnerability to spread a previously unknown custom malware called GooseEgg. To penetrate Ukraine, Western countries and regions.
NATO said Russia’s hybrid operation “posed a threat to Allied security.” The Council of the European Union also stated that “malicious cyber activities demonstrate Russia’s continued pattern of irresponsible behavior in cyberspace.”
The UK government said: “Recent activities by the Russian GRU cyber group APT28, including attacks on executives of the German Social Democratic Party, are the latest in a known pattern of Russian intelligence services undermining democratic processes around the world.”
The U.S. State Department describes APT28 as engaging in “malicious, nefarious, destabilizing and destructive conduct” and is committed to “the security of our allies and partners and upholding the rules-based international order, including in cyberspace.”
In early February of this year, a coordinated law enforcement operation disrupted a botnet of hundreds of small office and home office (SOHO) routers in the United States and Germany that APT28 attackers are believed to be using to hide their malicious activities, such as exploiting CVE – 2023-23397 for targets of interest.
According to a report this week by cybersecurity firm Trend Micro, a third-party criminal agent botnet dates back to 2016 and includes not only Ubiquiti routers, but also other Linux-based routers, Raspberry Pis, and virtual private servers (VPS). ).
“Threat actor [behind the botnet] Successfully transferred some EdgeRouter bots from C&C [command-and-control] “The server was taken down on January 26, 2024 and moved to newly established C&C infrastructure in early February 2024,” the company said. Additionally, legal restrictions and technical challenges have hampered efforts to recover all trapped routers. of thorough cleaning.
Russian state-sponsored cyber threat activity—data theft, destructive attacks, DDoS campaigns, and influence operations—is also expected to pose a serious risk to elections in the United States, United Kingdom, and the European Union, among other groups, including APT44. The company, Mandiant, released an assessment last week that the software also includes Sandworm, COLDRIVER, KillNet, APT29 and APT28.
Researchers Kelli Vanderlee and Jamie Collier said: “In 2016, APT28 associated with GRU compromised the targets of U.S. Democratic Party organizations and the personal account of a Democratic presidential candidate campaign chairman. A leak campaign was orchestrated ahead of the 2016 U.S. presidential election.
Additionally, data from Cloudflare and NETSCOUT show a surge in DDoS attacks against Sweden after Sweden joined the NATO alliance, similar to a pattern observed during Finland’s 2023 entry into NATO.
“Possible culprits for these attacks include hacker groups NoName057, Anonymous Hundred, Russian Cyber Army Team and KillNet,” NETSCOUT said. “All of these groups are politically motivated and support Russian ideals.”
Meanwhile, government agencies in Canada, the United Kingdom and the United States have released a new joint fact sheet to help protect critical infrastructure organizations from apparently pro-Russian hacktivists targeting industrial control systems (ICS) and small-scale operational systems. sustained attacks.
“Pro-Russian hacking activity appears to be largely limited to simple techniques for manipulating industrial control system equipment to cause nuisance effects,” the agencies said. “However, the investigation found that these actors were able to use threats to insecure and misconfigured OT environments. Physical Threat Technology.”
Targets of these attacks include organizations in critical infrastructure sectors across North America and Europe, including water and wastewater systems, dams, energy, and the food and agriculture sector.
It has been observed that hacker groups gain remote access by leveraging publicly exposed Internet-facing connections and factory-default passwords associated with Human Machine Interfaces (HMIs) prevalent in such environments, and then tamper with mission-critical parameters, shut down Alert mechanism to lock out operators by changing administrative passwords.
Recommendations for mitigating threats include hardening human-machine interfaces, limiting the exposure of OT systems to the network, using strong and unique passwords, and implementing multi-factor authentication for all access to OT networks.
“These hacktivists are attempting to compromise modular, Internet-exposed industrial controls through software components such as human machine interfaces (HMIs), virtual network computing (VNC) remote access software, and default passwords,” the alert states. System (ICS).”
2 Comments
Your point of view caught my eye and was very interesting. Thanks. I have a question for you.
Your article helped me a lot, is there any more related content? Thanks!