The Unit 42 team at Palo Alto Networks has released a new research report that provides new evidence and insights into ongoing activities of the Russian-backed threat actor “Fighting Ursa,” better known as “APT28” or “Fancy Bear.”
Earlier this year, Ukrainian cybersecurity researchers discovered that Fighting Ursa exploited a zero-day exploit in Microsoft Outlook (now known as CVE-2023-23397). This vulnerability is particularly concerning because it does not require user interaction to exploit. Unit 42 researchers have observed this group using CVE-20-2023 over the past 23397 months to target at least 30 organizations in 14 countries that are likely to be of strategic intelligence value to the Russian government and its military.
Zero-day exploit in Microsoft Outlook as a basis
During this time, Fighting Ursa ran at least two campaigns with this vulnerability that were made public. The first occurred between March and December 2022 and the second in March 2023. Unit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also exploited this vulnerability. The group ran this latest campaign between September and October 2023, targeting at least nine organizations in seven countries.
Of the 14 target countries across all three campaigns, all are organizations within NATO member countries, with the exception of units in Ukraine, Jordan and the United Arab Emirates. These organizations included critical infrastructure and facilities that provide an information edge in diplomatic, economic and military affairs.
The most important goals of APT28 at a glance
- Power generation and distribution
- Pipeline operations
- Material, personnel and air transport
- Ministries of Defense
- Foreign Ministries
- Interior ministries
- Ministries of Economic Affairs
Fighting Ursa (also known as APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy or Sednit) is a group linked to Russian military intelligence and known for its focus on targets of Russian interest - particularly those of military interest Interest. The fight against Ursa was attributed to military intelligence unit 26165 of the 85th Special Service Center (GTsSS) of the Russian General Staff.
All campaigns explained by experts
The experts from Palo Alto Networks have analyzed all campaigns step by step and show all the background and attack steps of APT28 in their English blog post “Fighting Ursa Aka APT28: Illuminating a Covert Campaign”.
More at PaloAltoNetworks.com
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.