The Czech Republic and Germany revealed on Friday that they had been the targets of a long-term cyber espionage campaign by a Russia-linked nation-state actor known as APT28, drawing condemnation from the European Union and the North Atlantic Treaty Organization. Ta. ), UK, USA
The Ministry of Foreign Affairs (MFA) of the Czech Republic said in a statement that some anonymous groups in the Czech Republic were being attacked by exploiting a security flaw in Microsoft Outlook that was revealed early last year.
“Cyberattacks targeting political entities, state institutions, and critical infrastructure not only pose a threat to national security but also disrupt the democratic processes that are the foundation of free societies,” the MFA said.
The security flaw in question is CVE-2023-23397, a currently patched critical privilege escalation bug in Outlook that allows an attacker to access Net-NTLMv2 hashes and use them to exploit themselves via relay attacks. may be authenticated.
The German Federal Government (also known as the Bundesregierung) has accused the Social Democratic Party Executive Committee of allowing the attacker to exploit the same Outlook vulnerability “for a relatively long time” and “compromise a large number of email accounts.” This is said to be the cause of the targeted cyber attack.
Industries targeted as part of the campaign include logistics, armaments, aerospace, IT services, foundations, and organizations in Germany, Ukraine, and Europe, and the German Bundestag said the group It is also said to have been involved in attacks on U.S. forces. German Bundestag (Bundestag).
APT28 is assessed to be associated with military unit 26165 of the Russian Federation's military intelligence agency GRU, including BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sophia, and TA422.
Late last month, Microsoft announced that the hacker group was exploiting the Microsoft Windows Print Spooler component (CVE-2022-38028, CVSS score: 7.8) as a zero-day to launch previously unknown custom malware called GooseEgg in Ukraine and Western countries. It was announced that the cause was an intrusion into the computer. Organizations in the government, non-governmental, education, and transportation sectors in Europe and North America.
NATO said Russia's hybrid actions “constitute a threat to the security of Allied nations.” The Council of the European Union agreed, saying that “malicious cyber campaigns demonstrate a continuing pattern of Russia's irresponsible behavior in cyberspace.”
The UK government said: “Recent activity by the Russian GRU cyber group APT28, including targeting senior leaders of the German Social Democratic Party, is the latest in a known pattern of behavior by Russian intelligence services that undermines democratic processes around the world.'' ” he said.
The U.S. State Department said APT28 is known to engage in “malicious, nefarious, destabilizing, and destructive behavior” and that it is “compromising the security of our allies and partners and the rules-based international He said he is working hard to maintain order.
In early February of this year, a coordinated police action disrupted a botnet consisting of hundreds of small office and home office (SOHO) routers in the United States and Germany. APT28 attackers are believed to have used this botnet to hide malicious activity, including CVE exploitation. -2023-23397 for the target of interest.
A third-party criminal proxy botnet dates back to 2016 and is targeting not only Ubiquiti routers, but also other Linux-based routers, Raspberry Pis, and virtual private servers (VPS), according to a report this week from cybersecurity firm Trend Micro. It is said that it is composed of .
“Threat Actor [behind the botnet] I managed to move some EdgeRouter bots from C&C [command-and-control] “The servers that were taken down on January 26, 2024 were moved to a newly set up C&C infrastructure in early February 2024,” the company said, adding that due to legal constraints and technical challenges, all traps He added that he was unable to thoroughly clean up the router that had been affected by the virus.
Russian state-led cyber threat activities (data theft, sabotage attacks, DDoS campaigns, influence operations) are also expected to pose a serious risk to elections in the US, UK, EU and other regions by multiple groups such as APT44. (also known as Sandworm), COLDRIVER, KillNet, APT29, and APT28, according to an assessment published last week by Google Cloud subsidiary Mandiant.
Researchers Kelly Vanderley and Jamie Collier wrote, “In 2016, GRU-affiliated APT28 compromised the organizational goals of the U.S. Democratic Party and the personal accounts of the Democratic presidential candidate's campaign chairmen, and the 2016 U.S. He orchestrated a leak campaign ahead of the presidential election.”
Additionally, data from Cloudflare and NETSCOUT shows a sharp increase in DDoS attacks targeting Sweden after Sweden joined the NATO alliance, a pattern observed upon Finland's joining of NATO in 2023. is reflected.
“Possible culprits for these attacks include hacker groups NoName057, Anonymous Sudan, Russian Cyber Army Team, and KillNet,” NETSCOUT said. “All these groups are politically motivated and support Russian ideals.”
The move follows a new joint fact sheet by Canadian, British and U.S. government agencies to protect critical infrastructure organizations from continued attacks by apparent pro-Russian hacktivists on industrial control systems (ICS) and small-scale operational systems. This was done in response to the announcement of Technology (OT) systems in 2022 and beyond.
“The activities of pro-Russian hacktivists appear to be mostly limited to simple methods of manipulating ICS equipment to create nuisance effects,” the agency said. “However, our investigation revealed that these attackers were able to use techniques that posed a physical threat to his insecure and misconfigured OT environment.”
Targets of these attacks include organizations in critical infrastructure sectors in North America and Europe, such as water and wastewater systems, dams, energy, and food and agriculture sectors.
Hacktivist groups are exploiting exposed internet connections and factory default passwords associated with human machine interfaces (HMIs) that are prevalent in such environments to gain remote access and subsequently compromise mission-critical They have been observed gaining remote access by modifying parameters and turning off alarm mechanisms. Lock out the operator by changing the admin password.
Recommendations to mitigate this threat include hardening the human-machine interface, limiting exposure of OT systems to the Internet, using strong, unique passwords, and implementing multi-factor authentication for all access to the OT network. It is included.
“These hacktivists are exploiting virtual network computing (VNC) remote access software and default passwords to access modular industrial controls exposed to the internet through software components such as human machine interfaces (HMIs). system (ICS),” the alert states. .
