Russian APT28 hackers exploit Outlook flaw to target Czech, German, Polish organizations
The Czechia jointly with Germany, Lithuania, Poland, Slovakia, Sweden, the European Union, NATO, and international partners condemns the actions of the Russian state-controlled actor APT28 targeting political entities, state institutions, and critical infrastructure installations. These APT28 hackers are associated with the Russian military intelligence service GRU and have been conducting a long-term cyber espionage campaign in European countries using a security flaw in Microsoft Outlook that came to light early last year.
Last September, these hackers launched a targeted cyber attack against a Ukrainian critical energy infrastructure facility. The Computer Emergency Response Team detailed that the Russian state-sponsored APT28 hacker group carried out the attack, and they confirmed that they prevented any intrusion.
“Based on information from intelligence services, some Czech institutions have also been the target of cyber-attacks exploiting a previously unknown vulnerability in Microsoft Outlook from 2023,” the Ministry of Foreign Affairs of the Czech Republic, said in its Friday statement. “The mode of operation and the focus of these attacks matched the profile of the actor APT28. Affected subjects were offered technical recommendations and cooperation to enhance security measures. The actor APT28 has also been the subject of active measures in Czechia as part of the global operation Dying Ember.”
The statement added that Czechia has long been targeted by the Russian APT28 hackers. “Such activities are in violation of the UN norms of responsible state behavior in cyberspace and other international commitments. In the context of the upcoming European elections, national elections in a number of European countries, and the ongoing Russian aggression against Ukraine, these acts are particularly serious and reprehensible. We call on the Russian Federation to refrain from such actions.”
It also recognized that cyber attacks targeting political entities, state institutions, and critical infrastructure threaten national security, apart from disrupting the democratic processes on which a free society is based.
The statement noted that Czech authorities will continue to take steps to strengthen the resilience of public institutions and the private sector. “Czechia is deeply concerned by these repeated cyber-attacks by state actors. We are determined to respond strongly to this unacceptable behavior together with our European and international partners.”
Germany’s Federal Government has determined that the cyber actor APT28 exploited a critical vulnerability in Microsoft Outlook for an extended period, compromising numerous email accounts. “Based on reliable information provided by our intelligence services, the actor APT28 has been attributed to the Russian Federation, and more specifically to the Russian military intelligence service GRU,” it added.
“What is more, this actor’s campaign also targeted various government authorities and companies in the spheres of logistics, armaments, the air and space industry, and IT services, as well as foundations and associations,” according to the statement. “It was directed at entities in Germany, other European countries, and targets in Ukraine.APT28 is also responsible for the cyber attack that was perpetrated on the German Bundestag in 2015.”
It added that Germany is determined to work together with its European and international partners to counter such malicious cyber activities.
Poland said in its statement that it “stands in solidarity with Germany and with Czechia following the malicious cyber campaign against their political parties and democratic institutions. Both countries have publicly attributed the responsibility to the Advanced Persistent Threat 28 controlled by the Russian Federation.”
It added that Poland, being also among the targets of the APT 28, strongly condemns the repetitive and unacceptable malicious cyber campaigns conducted by Russian actors.
“Our position is expressed in the statements of the European Union and NATO,” according to the statement. “We call on all States, particularly Russia, private sector and individuals to adhere to the principles of responsible behavior in cyberspace.”
It also noted that given the continuous rise of cyber threats, Poland is committed to protecting national critical infrastructure, building resilience, and bolstering cyber defenses.
The European Union and its Member States, together with international partners, strongly condemn the malicious cyber campaign conducted by the Russia-controlled (APT28) against Germany and Czechia. “The malicious cyber campaign shows Russia’s continuous pattern of irresponsible behavior in cyberspace, by targeting democratic institutions, government entities, and critical infrastructure providers across the European Union and beyond,” it added.
“This type of behavior is contrary to the UN norms of responsible state behavior in cyberspace, such as impairing the use and operation of critical infrastructure,” the European Council identified in its statement. “Disregarding international security and stability, Russia has repeatedly leveraged APT28 to conduct malicious cyber activities against the EU, its Member States, and international partners, most notably Ukraine.”
The EU will not tolerate such malicious behavior, particularly activities that aim to degrade our critical infrastructure, weaken societal cohesion, and influence democratic processes, mindful of this year’s elections in the EU and in more than 60 countries around the world. The EU and its Member States will continue to cooperate with our international partners to promote an open, free, stable, and secure cyberspace.
The EU is determined to use the full spectrum of measures to prevent, deter, and respond to Russia’s malicious behavior in cyberspace.
The U.S. also condemned the malicious cyber activity by Russia’s General Staff Main Intelligence Directorate (GRU). “We join Germany in attributing specific malign activity carried out by APT28 that targeted a German political party.”
“APT28, also known as Fancy Bear, Strontium, and Forest Blizzard, is a well-known threat actor with a long history of engaging in malicious, nefarious, destabilizing, and disruptive behavior,” the U.S. Department of State said in its statement. “The United States has previously indicted and sanctioned actors associated with APT28 for their involvement in a wide range of malign cyber activity, including cyber activities aimed at interfering in the 2016 U.S. presidential elections, and sustained hack-and-leak operations targeting the World Anti-Doping Agency (WADA) that intended to undermine and sow doubt in the integrity of the organization.”
Further, it disclosed that the Department of Justice has worked with Germany to remediate a network of hundreds of small office/home office routers that APT28 was using to conceal and carry out malicious activity, including the exploitation of CVE-2023-23397 against targets in Germany. The DOJ action further blocked the GRU from regaining access to remediated devices.
“Russia’s pattern of behavior blatantly disregards the Framework for Responsible State Behavior in Cyberspace, as affirmed by all United Nations Member States,” the statement added. “The United States is committed to the security of our allies and partners and upholding the rules-based international order, including in cyberspace. We call on Russia to stop this malicious activity and abide by its international commitments and obligations. With the EU and our NATO Allies, we will continue to take action to disrupt Russia’s cyber activities, protect our citizens and foreign partners, and hold malicious actors accountable.”
Last month, lead security agencies in the U.S. and U.K. released a joint Cybersecurity Advisory (CSA) report on the tactics, techniques, and procedures (TTPs) associated with APT28’s exploitation of Cisco routers. The agencies assess that the APT28 group exploits a known vulnerability to execute reconnaissance of routers and deploy malware, while also accessing poorly maintained Cisco routers and deploying malware on unpatched devices using CVE-2017-6742.
Related
