APT28’s Exploitation Tactics in 2023 – Unveiling the Russian Cyber Warfare Group and their “Zero-Click” Microsoft Outlook Exploit

InsideOperator#001 – APT28 dubbed “Fancy Bear” is a highly technical Russian Military Intelligence linked threat actor that maintains its fundamental operational goals focused on swaying geopolitical events and furthering Russia’s political goals. Join us as we peel back the layers of this APTs inner workings and relevant techniques, tactics and procedures, including operational tactics surrounding CVE-2023-23397 a zero-click vulnerability that was identified in the wild in Q1 2023 targeting Microsoft Outlook clients.

Who is APT28?:

APT28, also known as Fancy Bear, is a notable threat actor group with origins traced back to Russia. Believed to be state-sponsored and associated with the Russian military intelligence agency, GRU, APT28 has been active since at least 2004. Their targets primarily include government entities, military organizations, defense contractors, think tanks, and diplomatic entities. However, they have also been known to target various sectors like energy, telecommunications, aerospace, and media.

APT28 employs sophisticated attack techniques, showcasing their expertise and persistence. Their tactics include spear-phishing campaigns, watering hole attacks, exploiting software vulnerabilities, and deploying custom-made malware. These methods enable them to infiltrate networks, gain unauthorized access, and exfiltrate sensitive information.

The group has conducted notable cyber espionage campaigns with high-profile operations. These include attacks on the Democratic National Committee during the 2016 U.S. Presidential election, targeting European governments and organizations, and involvement in the Olympic Destroyer malware incident during the 2018 Winter Olympics.

APT28’s objectives revolve around intelligence gathering, political influence, and advancing Russian strategic interests. They seek to collect valuable information, disrupt or influence political processes, and gain advantages in geopolitical affairs.

Origin and Affiliation:

It is widely believed that APT28 is a state-sponsored cyber espionage group and has been specifically associated with the Russian military intelligence agency known as GRU (Main Intelligence Agency). While APT28 has been active since at least 2004, its activities gained significant attention in the cybersecurity community and media in recent years.

The attribution of APT28 (Fancy Bear) to the GRU (Russian military intelligence agency) is supported by multiple sources and collaborative efforts. The U.S. government, through a Joint Analysis Report (JAR) released by the Department of Homeland Security (DHS) and the FBI, linked APT28’s cyber activities, along with APT29 (Cozy Bear), to the Russian intelligence services, including the GRU.

Russia’s Government Structure

Prominent cybersecurity firms such as CrowdStrike, FireEye, and Mandiant have conducted extensive research on APT28, attributing its activities to the GRU. Their findings are based on indicators of compromise (IOCs), malware analysis, and observed patterns of behavior that align with the tactics, techniques, and procedures (TTPs) typically associated with the GRU.

Collaborative intelligence efforts among various countries, including the United States, United Kingdom, and European Union members, have resulted in public attributions of APT28’s activities to the GRU. These attributions are grounded in shared intelligence and collaborative analysis, bolstering the consensus surrounding APT28’s affiliation with the Russian military intelligence agency.

APT28’s Targets and POI’s:

Fancy Bear, primarily targets government entities, military organizations, defense contractors, think tanks, and diplomatic entities. Their operations have also extended to various sectors, including energy, telecommunications, aerospace, and media. Their objectives revolve around intelligence gathering, political influence, and advancing Russian strategic interests.

APT28’s focus on government entities and military organizations suggests an interest in accessing classified information, geopolitical intelligence, and military technology. Their targeting of defense contractors indicates a desire to obtain sensitive defense-related data and intellectual property.

Think tanks and policy institutions are also attractive targets for APT28 as they provide valuable insights into international relations, geopolitical affairs, and policy-making processes. Such information can be leveraged for strategic advantage and influence.

Some of APT28’s notable targets include:

  1. Democratic National Committee (DNC): APT28 gained significant attention for its intrusion into the DNC’s network during the 2016 U.S. Presidential election, resulting in the theft and release of sensitive information.
  2. Various European Governments and Political Entities: APT28 has targeted multiple European governments, political organizations, and election campaigns. For instance, it has been linked to cyberattacks against organizations in Ukraine, France, Germany, and Montenegro.
  3. Defense Contractors: APT28 has shown interest in defense contractors and military-related organizations. It has been reported to target companies involved in the defense industry to gain access to sensitive military technology and information.
  4. Aerospace and Aviation Industry: APT28 has been associated with cyber espionage campaigns targeting the aerospace and aviation sectors, focusing on organizations involved in research, development, and manufacturing.
  5. Think Tanks and Policy Institutions: APT28 has shown a pattern of targeting think tanks, policy institutions, and organizations involved in international relations and geopolitical research. These entities often possess valuable insights and analysis relevant to APT28’s objectives.

Fancy Bear Tactics, Techniques, and Procedures (TTPs):

APT28 uses a wide range of techniques and tactics combined with a plethora of different exploits. This combined with their expertise makes for a sharp sword in the cyber warfare vector. While their tactics have aligned with changing infrastructure some of their more notable reoccurring techniques have become notorious:

  • Spear Phishing: APT28 employs spear phishing campaigns to target specific individuals or organizations. These campaigns involve highly tailored and deceptive emails that appear legitimate, often luring recipients into clicking malicious links or opening infected attachments. APT28’s phishing emails are crafted to exploit human curiosity, urgency, or trust.
  • Watering Hole Attacks: APT28 has utilized watering hole attacks, which involve compromising legitimate websites visited by the intended targets. By injecting malicious code into these websites, the attackers exploit vulnerabilities in visitors’ browsers or plugins, leading to the delivery of malware or the redirection to malicious sites.
  • Zero-Day Exploits: APT28 has been associated with the exploitation of zero-day vulnerabilities. Zero-day exploits target software vulnerabilities that are unknown to the software vendor and therefore do not have available patches or defenses.
  • Custom Malware: APT28 develops and deploys custom malware specifically tailored to their campaigns. This includes various families of malware, such as Seduploader, X-Agent, and Gamefish, which have been associated with APT28’s operations. These custom malware variants enable APT28 to gain persistent access, conduct reconnaissance, and exfiltrate data.
  • Remote Access Trojans (RATs): APT28 utilizes remote access trojans to establish and maintain control over compromised systems. These trojans provide the attackers with remote access capabilities, allowing them to execute commands, steal data, or move laterally within a network.
  • Credential Theft: APT28 employs various techniques to steal credentials, including keylogging, credential harvesting, and credential brute-forcing. By obtaining valid credentials, they can gain unauthorized access to targeted systems, escalate privileges, and move deeper into the network.
  • Exploitation of Software Vulnerabilities: APT28 actively exploits vulnerabilities in commonly used software applications. By leveraging known vulnerabilities in software or operating systems, they gain initial access to target networks or systems.
  • Domain Masquerading and Spoofing: APT28 utilizes domain masquerading and spoofing techniques to create malicious domains or URLs that closely resemble legitimate entities or organizations. This tactic aims to deceive users into interacting with malicious content, such as visiting a spoofed login page or downloading malware.
  • Covert Communication Channels: APT28 employs various techniques to establish covert communication channels with their command and control (C2) infrastructure. This includes using encrypted protocols, domain generation algorithms (DGAs), or hiding communications within legitimate network traffic.

Lets dive into the trail of crumbs a little deeper starting with some of the more recent threat campaigns:

APT28/29 Targets the DNC via Spearfishing:

Both APT28 and 29 has been observed crafting targeted spearphishing campaigns leveraging web links to a malicious dropper; once executed, the code delivers Remote Access Tools (RATs) and evades detection using a range of techniques. APT28 is known for leveraging domains that closely mimic those of targeted organizations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns. Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft MORE highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets. In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate TLP:WHITE 3 of 13 TLP:WHITE domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails. In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure. In spring 2016, APT28 compromised the same political party, again via targeted spearphishing. This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members. The U.S. Government assesses that information was leaked to the press and publicly disclosed.

Fancy Bear Targets Cisco Routers via CVE-2017-6742:

APT28 has more recently targeted unsecured Cisco routers to further their political objectives as Cisco topology is a common interface in government and private commercial sectors.

In 2021, APT28 employed a strategy that involved leveraging Simple Network Management Protocol (SNMP) access on Cisco routers worldwide. This operation impacted a small number of routers based in Europe, U.S. government institutions, and approximately 250 victims in Ukraine.

SNMP is a protocol designed for remote network monitoring and configuration. However, it can be misused to gain access to sensitive network information and potentially exploit vulnerable devices to breach a network.

APT28 took advantage of weak SNMP community strings, including the commonly used default “public,” to gain access to router information. By sending additional SNMP commands, they were able to enumerate router interfaces, revealing further details about the compromised routers.

The routers targeted by APT28 were configured to accept SNMP v2 requests, which lack encryption. Consequently, all data, including community strings, were transmitted unencrypted.

To exploit this operation, APT28 capitalized on the CVE-2017-6742 vulnerability (Cisco Bug ID: CSCve54313) [T1190]. Cisco had released a patch for this vulnerability on June 29, 2017, along with advisory guidance that recommended limiting SNMP access to trusted hosts or disabling specific SNMP Management Information Bases (MIBs) as workarounds.

This approach demonstrates how APT28 strategically used SNMP access and exploited a known vulnerability to gain unauthorized access to routers, emphasizing the importance of implementing proper security measures and promptly applying patches to mitigate potential risks.

APT28’s Uses Fake “Windows Update” to Target Ukrainian Government

Some of the more recent threat campaigns involve targeting Ukraine Government Officials. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding cyber attacks targeting various government bodies in the country, attributing the phishing campaign to APT28.

The phishing emails, using the subject line “Windows Update,” claim to provide security updates and contain instructions in the Ukrainian language. Recipients are urged to run a PowerShell command under the guise of the updates. Upon execution, the script loads and runs a subsequent PowerShell script that collects basic system information using commands like tasklist and systeminfo. The extracted data is then exfiltrated via an HTTP request to a Mocky API.

To enhance the chances of success, the emails impersonate system administrators from the targeted government entities, utilizing fake Microsoft Outlook email accounts created with the actual names and initials of employees.

CERT-UA has recommended that organizations restrict users’ ability to run PowerShell scripts and monitor network connections to the Mocky API as preventive measures.

This disclosure follows recent reports linking APT28 to attacks exploiting previously patched security vulnerabilities in networking equipment. These attacks were conducted to carry out reconnaissance and deploy malware against specific targets.

In a related development, Google’s Threat Analysis Group (TAG) published an advisory last month detailing a credential harvesting operation orchestrated by APT28. This operation redirected visitors of Ukrainian government websites to phishing domains, highlighting the threat actor’s continued activities in the region.

APT28 Uses “Zero-Click” Vulnerability in 2023

CVE2023-23397 is a critical vulnerability hat impacts Microsoft Outlook. Unlike other exploits, this exploit is particularly dangerous because no user interaction is required to trigger the exploit. Once an infected email arrives in a Microsoft Outlook inbox, sensitive credential hashes can be obtained. 

According to an advisory released this month, external attackers can exploit this flaw by sending specially crafted emails, triggering a connection from the victim’s system to an untrusted location controlled by the attackers. This action exposes the victim’s Net-NTLMv2 hash to the untrusted network, which the attacker can then relay to another service and authenticate as the victim.

While Microsoft resolved the vulnerability as part of its March 2023 Patch Tuesday updates, threat actors based in Russia had already weaponized the flaw, targeting government, transportation, energy, and military sectors in Europe.

Microsoft’s incident response team discovered evidence of potential exploitation of this vulnerability as early as April 2022. In one attack chain outlined by the company, a successful Net-NTLMv2 Relay attack granted unauthorized access to an Exchange Server, allowing the threat actor to modify mailbox folder permissions for persistent access. The compromised email account was then utilized to expand the attacker’s reach within the compromised environment, sending malicious messages to target other members of the same organization.

Microsoft noted that although leveraging NTLMv2 hashes for unauthorized access is not a new technique, the exploitation of CVE-2023-23397 is innovative and covert. Organizations are advised to review SMBClient event logging, Process Creation events, and other available network telemetry to identify potential exploitation of this vulnerability.

Lab[7] Defensive Threat Research has created a quick PoC to demonstrate this vulnerability’s capability:

Threat Summary:

Our investigation into APT28, also known as Fancy Bear, has provided valuable insights into the tactics, targets, and techniques employed by this state-sponsored cyber espionage group. APT28 has been active since at least 2004 and maintains affiliation with the Russian military intelligence agency GRU.

It has become evident that APT28 focuses primarily on government entities, military organizations, defense contractors, and think tanks, extending their campaigns to various sectors, including energy, telecommunications, aerospace, and media. The group’s objectives center around intelligence gathering, political influence, and the advancement of Russian strategic interests.

APT28 demonstrates a high level of sophistication in their operations, utilizing tactics such as spear phishing, watering hole attacks, software vulnerability exploitation, and the deployment of custom-made malware. Notably, they employ domains that closely resemble those of their target organizations, skillfully deceiving victims into sharing legitimate credentials. Remote access trojans, covert communication channels, and data exfiltration tactics are also part of their arsenal.

The attribution of APT28’s activities to the GRU is substantiated by research conducted by cybersecurity firms, government agencies, and collaborative intelligence efforts. The Joint Analysis Report “GRIZZLY STEPPE” has played a significant role in establishing this connection.

Recent developments have shed light on APT28’s specific targeting of Ukrainian government entities using deceptive “Windows Update” emails, as well as their exploitation of security vulnerabilities in networking equipment. Google’s Threat Analysis Group has additionally uncovered APT28’s operations involving the harvesting of credentials.

In conclusion, our examination of APT28 underscores the critical importance of implementing robust cybersecurity measures to safeguard against this persistent threat. Understanding their tactics and target sectors is vital for developing effective defenses and maintaining vigilance in the face of evolving cyber threats. By staying well-informed and proactive, organizations can bolster their resilience and protect their critical assets from the activities of APT28 and similar threat actors.

Sources:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108

https://thehackernews.com/2023/05/apt28-targets-ukrainian-government.html

https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/

1 thought on “APT28’s Exploitation Tactics in 2023 – Unveiling the Russian Cyber Warfare Group and their “Zero-Click” Microsoft Outlook Exploit”

Leave a Comment

Your email address will not be published. Required fields are marked *