Top Russian military hackers target NATO using Microsoft Outlook exploits

A stressed out hacker looking at a laptop screen
(Image credit: Yuri A/Shutterstock)

Between April and December 2022, the NATO Rapid Deployable Corps, a NATO force that can quickly be deployed to command NATO forces, was targeted by Russian state-sponsored hackers. 

This is according to cybersecurity researchers Unit 42, a security arm of Palo Alto Networks, who noted that the hackers were after sensitive data and other valuable intelligence.

A few weeks after the invasion of Ukraine, a threat actor known as APT28 (AKA Fancy Bear, Fighting Ursa) started abusing a zero-day vulnerability in Microsoft Outlook to target the State Migration Service of Ukraine with malware. A month later, Unit 42 says, it used the same vulnerability - tracked as CVE-2023-23397, in more campaigns. In total, networks of roughly 15 government, military, energy, and transportation organizations around Europe were targeted. The Russians were after emails with military intelligence, which might aid the country’s war effort.

NATO members under attack

When Microsoft patched the flaw a year later, APT28 was already deep enough, obtained enough credentials, and established enough persistence to keep going. It expanded its campaign in May this year, when it started abusing a separate flaw, tracked as CVE-2023-29324.

Now, Unit 42 claims all of the affected countries are NATO members, and in one instance, even the NATO Rapid Deployable Corps was a target. 

"Using a zero-day exploit against a target indicates it is of significant value. It also suggests that existing access and intelligence for that target were insufficient at the time," Unit 42 said. "In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques. This suggests that the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery.”

"For these reasons, the organizations targeted in all three campaigns were most likely a higher than normal priority for Russian intelligence."

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.