A Russian state-sponsored threat actor tracked as APT28 has been exploiting a zero-click Outlook vulnerability in attacks against dozens of organizations in NATO countries, cybersecurity firm Palo Alto Networks reports.
Tracked as CVE-2023-23397, the vulnerability was patched in March 2023, when Microsoft warned that it had already been exploited in the wild. A bypass for the patch, tracked as CVE-2023-29324, was fixed in May.
Rated ‘critical severity’, CVE-2023-23397 can be triggered via crafted email messages, with exploitation occurring before the email is viewed in the Preview Pane.
In March, Microsoft said that a Russian advanced persistent threat (APT) actor had been exploiting the flaw since April 2022, without attributing the attacks to a specific hacking group.
In a new report, Palo Alto Networks reveals that APT28, which has been linked to Russia’s General Staff Main Intelligence Directorate (GRU) military intelligence service, has been exploiting CVE-2023-23397 “over the past 20 months to target at least 30 organizations within 14 nations”.
APT28, the cybersecurity firm says, exploited the vulnerability in at least three malicious campaigns, one running between March and December 2022, another in March 2023, and the third in September-October 2023.
The first known instance of an exploit targeting CVE-2023-23397 was emailed on March 18, 2022, three weeks after Russia’s invasion of Ukraine, targeting the State Migration Service of the country.
“Of the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries, except for entities in Ukraine, Jordan, and the United Arab Emirates,” Palo Alto Networks says.
The attacks targeted energy and transportation organizations, as well as ministries of defense, internal affairs, foreign affairs, and economy. All victims are “of apparent intelligence value to the Russian military”.
The cybersecurity firm notes that, as part of the second and third campaigns, APT28 continued to use its exploit without changing tactics, which would indicate that “the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery” and the targets were of “a higher than normal priority for Russian intelligence”.
“[APT28] continued to use this vulnerability as part of its targeting strategy even after Ukrainian cybersecurity researchers discovered the exploit and Microsoft publicly attributed its use to ‘a Russia-based threat actor’ on March 14, 2023, when issuing a patch for the vulnerability,” Palo Alto Networks says.
The cybersecurity firm’s report comes only days after Microsoft updated its March advisory on the observed attacks to attribute the exploitation of CVE-2023-23397 to APT28.
Also tracked as Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team, Sandworm, Fighting Ursa, and Forest Blizzard, APT28 has been blamed for cyberattacks against European countries, for hacking the 2016 US elections, and for numerous other cyberattacks.