Russian hackers launch attacks on NATO Rapid Reaction Forces

Russian hackers exploit Outlook Zero-Day to target NATO Rapid Reaction Forces

International efforts intensify as Russian state-sponsored hacking groups persist

In a disturbing turn of events, Russian military hackers have launched a series of cyber attacks on NATO's Rapid Reaction Forces,^[1] posing a significant threat to the alliance's ability to respond swiftly to crises. Over the past 20 months, the attackers – known as APT28 or Fighting Ursa – have been steadily targeting European NATO member countries and important organizations by taking advantage of a Microsoft Outlook zero-day vulnerability.

For around two years, Palo Alto Networks' Unit 42^[2] researchers have been tracking three large-scale hacking attacks that APT28 has coordinated. The attacks targeted more than 30 groups in 14 different countries, all of which the Russian military and administration considered to be strategically important. Interestingly, the hackers started their operations in March 2022, only three weeks after Russia invaded Ukraine.

APT28 was able to successfully compromise European government, military, energy, and transportation networks between mid-April and December 2022. Their main goal was to steal emails that could have included military intelligence in order to provide cover for Russia's invasion of Ukraine.

Relentless pursuit of strategic information

Microsoft fixed the zero-day vulnerability in March 2023, but APT28 kept using the CVE-2023-23397 vulnerabilities to get credentials, which allowed them to move laterally throughout infected networks. In May, the attackers increased the scope of their attack by taking advantage of a new bypass (CVE-2023-29324) that affected all versions of Outlook on Windows.

These attacks affect vital infrastructure companies involved in energy production, distribution, pipeline operations, material handling, people, and air transportation, in addition to European Defense, Foreign Affairs, and Internal Affairs departments.

The fact that every single one of the targeted European countries – aside from Ukraine – is a current member of NATO highlights how serious the issue is. Regrettably, these cyber breaches have affected at least one NATO Rapid Deployable Corps, which is in charge of the prompt deployment and leadership of NATO forces.

The need to employ a zero-day exploit is emphasized in Unit 42, which also highlights the target's high value and the deficiency of current access and intelligence. The tenacious search for critical intelligence demonstrates how highly valued Russian intelligence was by these institutions.

International response and ongoing threat landscape

This concerning finding follows the admission made in October by the French cybersecurity agency, which showed how Russian hackers used the Outlook security gap to attack many French organizations. The Russian threat group, Callisto Group, has been connected by the United Kingdom and its Five Eyes intelligence alliance allies to the Federal Security Service (FSB) branch of Russia, commonly known as “Centre 18.”

Recent events highlight how enduring these issues are as the world community struggles to contain the growing cyber threats coordinated by state-sponsored hacking organizations in Russia. Microsoft's aggressive steps to stop the Callisto Group from attacking European NATO members demonstrate how important it is for IT businesses to act quickly to counter threats.

But as the danger environment widens, governments, intelligence services, and the corporate sector must respond comprehensively and systematically. The $10 million prize^[3] provided by the U.S. government highlights the need to accelerate international cybersecurity efforts in order to protect vital infrastructure and national security by demonstrating a commitment to identifying and apprehending those responsible for these destructive operations. The need of coordinated activities to keep ahead of growing cyber threats is underscored by the interconnection of nations in the digital sphere.