APT28 Exploits Zero-Click Outlook Flaw to Steal Credentials from NATO and Critical Infrastructure
Russian state-sponsored threat group APT28 (also known as Fancy Bear or Forest Blizzard), linked to the GRU’s Unit 26165, has intensified its cyber espionage operations by exploiting a zero-click vulnerability in Microsoft Outlook to target NATO members, defense organizations, and critical infrastructure entities.
The campaign centers on CVE-2023-23397, a critical elevation-of-privilege flaw in Outlook that allows attackers to trigger forced authentication without user interaction. APT28 sends malicious Outlook reminders that, when processed, automatically connect to attacker-controlled Server Message Block (SMB) shares, leaking victims’ Net-NTLMv2 hashes. These stolen credentials enable NTLM relay attacks, granting unauthorized access to Microsoft Exchange mailboxes without deploying traditional malware.
Unlike past operations that relied on heavy implants like the X-Agent toolkit, APT28 has shifted to stealthier, single-purpose techniques, minimizing forensic traces. To evade detection, the group has overhauled its infrastructure, leveraging compromised SOHO edge devices specifically, the MooBot botnet, consisting of hijacked Ubiquiti EdgeRouters. These routers serve as relay nodes for stolen hashes and host credential-scraping proxies, masking malicious traffic behind legitimate consumer IP addresses and bypassing reputation-based security filters.
The attack chain highlights a sophisticated evolution in APT28’s tactics, combining zero-click exploitation with decentralized infrastructure to silently infiltrate high-value targets. The campaign underscores the growing threat to European defense and critical infrastructure sectors.
Source: https://cyberpress.org/apt28-steals-net-ntlmv2-hashes-via-outlook-flaw/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
NATO TPRM report: https://www.rankiteo.com/company/nato
"id": "natmic1781267313",
"linkid": "nato, microsoft-security-response-center",
"type": "Vulnerability",
"date": "3/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Defense, Government',
'location': 'Europe',
'type': 'NATO members'},
{'industry': 'Defense', 'type': 'Defense organizations'},
{'industry': 'Critical Infrastructure',
'type': 'Critical infrastructure entities'}],
'attack_vector': 'Zero-click vulnerability exploitation (CVE-2023-23397)',
'data_breach': {'sensitivity_of_data': 'High (sensitive communications, '
'potential classified information)',
'type_of_data_compromised': ['Net-NTLMv2 hashes',
'Microsoft Exchange mailbox '
'data']},
'description': 'Russian state-sponsored threat group APT28 (also known as '
'Fancy Bear or Forest Blizzard), linked to the GRU’s Unit '
'26165, has intensified its cyber espionage operations by '
'exploiting a zero-click vulnerability in Microsoft Outlook to '
'target NATO members, defense organizations, and critical '
'infrastructure entities. The campaign centers on '
'CVE-2023-23397, a critical elevation-of-privilege flaw in '
'Outlook that allows attackers to trigger forced '
'authentication without user interaction. APT28 sends '
'malicious Outlook reminders that, when processed, '
'automatically connect to attacker-controlled Server Message '
'Block (SMB) shares, leaking victims’ Net-NTLMv2 hashes. These '
'stolen credentials enable NTLM relay attacks, granting '
'unauthorized access to Microsoft Exchange mailboxes without '
'deploying traditional malware. The group has shifted to '
'stealthier techniques, leveraging compromised SOHO edge '
'devices (MooBot botnet of hijacked Ubiquiti EdgeRouters) to '
'evade detection and mask malicious traffic behind legitimate '
'consumer IP addresses.',
'impact': {'data_compromised': 'Net-NTLMv2 hashes, Microsoft Exchange mailbox '
'access',
'identity_theft_risk': 'High (credential theft enabling further '
'attacks)',
'operational_impact': 'Unauthorized access to sensitive '
'communications and data',
'systems_affected': ['Microsoft Outlook', 'Microsoft Exchange']},
'initial_access_broker': {'entry_point': 'Zero-click Outlook vulnerability '
'(CVE-2023-23397)',
'high_value_targets': ['NATO members',
'Defense organizations',
'Critical infrastructure']},
'motivation': 'Cyber espionage, unauthorized access to sensitive information',
'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
'zero-click vulnerability '
'(CVE-2023-23397), use of '
'compromised SOHO edge devices for '
'evasion'},
'references': [{'source': 'Microsoft CVE-2023-23397 Advisory'}],
'threat_actor': 'APT28 (Fancy Bear, Forest Blizzard, GRU’s Unit 26165)',
'title': 'APT28 Exploits Zero-Click Outlook Flaw to Steal Credentials from '
'NATO and Critical Infrastructure',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'CVE-2023-23397 (Microsoft Outlook Elevation of '
'Privilege Vulnerability)'}