Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Russian GRU Hackers Compromised German, Czech Targets
APT28 Used Microsoft Outlook Zero-Day, Governments SaidThe German and Czech governments on Friday disclosed that Russian military intelligence hackers targeted political parties and critical infrastructure as part of an espionage campaign that began last year.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
In a rare public disclosure on Friday, the Federal Ministry of the Interior and Community attributed a cyber campaign that targeted the members of the German Social Democratic Party to a hacking unit of the Russian General Staff Main Intelligence Directorate, better known as the GRU. The threat actor is tracked under the monikers APT28, Fancy Bear, Strontium, and Forest Blizzard.
The German ministry, known as BMI for its German acronym, said Russian hackers used an unidentified zero-day vulnerability in Microsoft Outlook. In addition to politicians, the group targeted IT networks of government offices, especially in the energy supply sector, and private companies working in the logistics, armaments, aerospace and IT services in the country, the agency said.
"The federal government considers the cyberattack on the government party SPD as a serious encroachment on democratic structures," the ministry said. "The attacks are a focal point of the attacks concerning Russia's war of aggression in violation contrary to international law."
On Friday, the Czech Republic government acknowledged the group was behind attacks on its critical infrastructure and organizations using the Outlook zero-day that began in 2023.
Following the recent disclosure, the German Foreign Ministry summoned a top Russian envoy. On Friday, the European Union and NATO condemned the attacks on the European countries and urged Moscow to abide by international obligations. The U.S. Department of State said Thursday in a statement that it "strongly condemns" the hacks.
"The malicious cyber campaign shows Russia's continuous pattern of irresponsible behavior in cyberspace. The EU will not tolerate such malicious behavior," the EU said in a statement.
NATO said the APT28 activities included sabotage, cyber and electronic interference, and campaigns that recently affected Estonia, Lithuania, Poland, Slovakia and Sweden (see: Moscow Military Hackers Used Microsoft Outlook Vulnerability).
Neither the German nor Czech governments disclosed the details of the Outlook vulnerability exploited by the group. U.S. intelligence agencies in February said APT28 likely carried out attacks against other central European governments by exploiting a flaw Microsoft patched in March 2023. The vulnerability, tracked as CVE-2023-23397, allowed hackers to trigger Windows into transmitting hashed passwords by sending a backdated Microsoft Outlook appointment request containing a parameter for the sound the email client should play when the appointment is overdue.
John Hultquist, chief analyst at Google Mandiant, said the latest activities of the group indicate it is "not limited to any one party or country."
"This is a reminder that Western politicians with geopolitical insight are a prime target for espionage. With several upcoming elections, politicians and parties everywhere should be on alert," Hultquist said.
Microsoft did not immediately respond to a request for comment.