Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Russian APT Used Zero-Click Outlook Exploit

Russian threat actor APT28 has been exploiting a no-interaction Outlook vulnerability in attacks against 14 countries.

A Russian state-sponsored threat actor tracked as APT28 has been exploiting a zero-click Outlook vulnerability in attacks against dozens of organizations in NATO countries, cybersecurity firm Palo Alto Networks reports.

Tracked as CVE-2023-23397, the vulnerability was patched in March 2023, when Microsoft warned that it had already been exploited in the wild. A bypass for the patch, tracked as CVE-2023-29324, was fixed in May.

Rated ‘critical severity’, CVE-2023-23397 can be triggered via crafted email messages, with exploitation occurring before the email is viewed in the Preview Pane.

In March, Microsoft said that a Russian advanced persistent threat (APT) actor had been exploiting the flaw since April 2022, without attributing the attacks to a specific hacking group.

In a new report, Palo Alto Networks reveals that APT28, which has been linked to Russia’s General Staff Main Intelligence Directorate (GRU) military intelligence service, has been exploiting CVE-2023-23397 “over the past 20 months to target at least 30 organizations within 14 nations”.

APT28, the cybersecurity firm says, exploited the vulnerability in at least three malicious campaigns, one running between March and December 2022, another in March 2023, and the third in September-October 2023.

The first known instance of an exploit targeting CVE-2023-23397 was emailed on March 18, 2022, three weeks after Russia’s invasion of Ukraine, targeting the State Migration Service of the country.

“Of the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries, except for entities in Ukraine, Jordan, and the United Arab Emirates,” Palo Alto Networks says.

Advertisement. Scroll to continue reading.

The attacks targeted energy and transportation organizations, as well as ministries of defense, internal affairs, foreign affairs, and economy. All victims are “of apparent intelligence value to the Russian military”.

The cybersecurity firm notes that, as part of the second and third campaigns, APT28 continued to use its exploit without changing tactics, which would indicate that “the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery” and the targets were of “a higher than normal priority for Russian intelligence”.

“[APT28] continued to use this vulnerability as part of its targeting strategy even after Ukrainian cybersecurity researchers discovered the exploit and Microsoft publicly attributed its use to ‘a Russia-based threat actor’ on March 14, 2023, when issuing a patch for the vulnerability,” Palo Alto Networks says.

The cybersecurity firm’s report comes only days after Microsoft updated its March advisory on the observed attacks to attribute the exploitation of CVE-2023-23397 to APT28.

Also tracked as Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team, Sandworm, Fighting Ursa, and Forest Blizzard, APT28 has been blamed for cyberattacks against European countries, for hacking the 2016 US elections, and for numerous other cyberattacks.

Related: Russian Hackers Used OT Attack to Disrupt Power in Ukraine Amid Mass Missile Strikes

Related: US, UK Sanction More Members of Trickbot Russian Cybercrime Group

Related: US Disrupts Russia’s Sophisticated ‘Snake’ Cyberespionage Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.