Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Russian GRU Hackers Compromised German, Czech Targets

APT28 Used Microsoft Outlook Zero-Day, Governments Said
Russian GRU Hackers Compromised German, Czech Targets
The German and Czech governments disclosed a Russian military intelligence hacking campaign. (Image: Shutterstock)

The German and Czech governments on Friday disclosed that Russian military intelligence hackers targeted political parties and critical infrastructure as part of an espionage campaign that began last year.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

In a rare public disclosure on Friday, the Federal Ministry of the Interior and Community attributed a cyber campaign that targeted the members of the German Social Democratic Party to a hacking unit of the Russian General Staff Main Intelligence Directorate, better known as the GRU. The threat actor is tracked under the monikers APT28, Fancy Bear, Strontium, and Forest Blizzard.

The German ministry, known as BMI for its German acronym, said Russian hackers used an unidentified zero-day vulnerability in Microsoft Outlook. In addition to politicians, the group targeted IT networks of government offices, especially in the energy supply sector, and private companies working in the logistics, armaments, aerospace and IT services in the country, the agency said.

"The federal government considers the cyberattack on the government party SPD as a serious encroachment on democratic structures," the ministry said. "The attacks are a focal point of the attacks concerning Russia's war of aggression in violation contrary to international law."

On Friday, the Czech Republic government acknowledged the group was behind attacks on its critical infrastructure and organizations using the Outlook zero-day that began in 2023.

Following the recent disclosure, the German Foreign Ministry summoned a top Russian envoy. On Friday, the European Union and NATO condemned the attacks on the European countries and urged Moscow to abide by international obligations. The U.S. Department of State said Thursday in a statement that it "strongly condemns" the hacks.

"The malicious cyber campaign shows Russia's continuous pattern of irresponsible behavior in cyberspace. The EU will not tolerate such malicious behavior," the EU said in a statement.

NATO said the APT28 activities included sabotage, cyber and electronic interference, and campaigns that recently affected Estonia, Lithuania, Poland, Slovakia and Sweden (see: Moscow Military Hackers Used Microsoft Outlook Vulnerability).

Neither the German nor Czech governments disclosed the details of the Outlook vulnerability exploited by the group. U.S. intelligence agencies in February said APT28 likely carried out attacks against other central European governments by exploiting a flaw Microsoft patched in March 2023. The vulnerability, tracked as CVE-2023-23397, allowed hackers to trigger Windows into transmitting hashed passwords by sending a backdated Microsoft Outlook appointment request containing a parameter for the sound the email client should play when the appointment is overdue.

John Hultquist, chief analyst at Google Mandiant, said the latest activities of the group indicate it is "not limited to any one party or country."

"This is a reminder that Western politicians with geopolitical insight are a prime target for espionage. With several upcoming elections, politicians and parties everywhere should be on alert," Hultquist said.

Microsoft did not immediately respond to a request for comment.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.