Russia was involved in a months-long cyber espionage campaign against Germany last year, which involved targeting politicians and the defense sector, German officials said, adding they have evidence the attacks were conducted by Russia-backed threat actor, Fancy Bear.
Also tracked as APT28, Fancy Bear is a state-sponsored hacker group linked to the Russian GRU intelligence service that, according to German officials, targeted German infrastructure in response to German military aid to Ukraine in the country’s ongoing war with Russia.
“Today we can say unambiguously [that] we can attribute this cyber-attack to a group called APT28, which is steered by the military intelligence service of Russia,” Annalena Baerbock, German foreign minister said in a news conference. “In other words, it was a state-sponsored Russian cyber-attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences.”
In the official statement, Germany claimed that the attacks by the threat actor within this campaign were largely ineffective.
Emails compromised through Outlook bug
According to a German Interior Ministry statement, the campaign began at least as early as March 2022, days after the Russian full-scale invasion of Ukraine, targeting emails at the Social Democratic Party headquarters as well as the country’s logistics, defense, aerospace, and IT sectors by exploiting a vulnerability in Microsoft Outlook.
The now-patched bug, tracked as CVE-2023-23397, was a security hole in Outlook that allowed someone to send an email including a custom reminder that could also be specified as a URL path within the mail. This allowed a miscreant to carefully craft an email with the custom path set to a remote SMB server.
“The Russian cyberattacks are a threat to our democracy, which we are resolutely countering,” said the interior minister, Nancy Faeser, in a statement adding that Germany was acting alongside the EU and NATO. “Under no circumstances will we allow ourselves to be intimidated by the Russian regime.”
According to German officials, the attacks within the campaign can be traced back to the time when Germany was sitting on a decision to send Leopold 2 battle tanks to Ukraine upon its appeal for a fleet of 300 from Europe.
Germany had, reportedly, been prepared to send 14 such tanks conditional to the United States doing the same, not wanting to risk an aggressive Russian response alone.
Known nation-state offender
APT28 has earned renown for its large-scale nation-state attacks in more than a dozen countries in the world. Described by the UK’s National Cyber Security Center as a “highly skilled threat actor,” the group is known to have used tools including X-Tunnel, X-Agent, and CompuTrace to penetrate target networks.
The threat group was also found behind several mass attack campaigns that exploited known flaws in Outlook and WinRAR to collect Windows NTLM credential hashes from organizations in Europe and North America.
“Czechia has long been targeted by the APT28. Such violations are in violation of UN norms of responsible state behavior,” a Czech Republic foreign ministry statement said. A series of recent international efforts led by the FBI, the German statement added, shut down a botnet of compromised network devices in late January, which are believed to have been used by Fancy Bear in their cyber espionage scheme.
Advanced Persistent Threats, Hacker Groups
Leave a Reply