The European Union (EU), North Atlantic Treaty Organization (NATO), the UK, and the US have expressed their condemnation after Czechia and Germany announced that they were the victims of a long-term cyber espionage campaign conducted by the Russia-linked nation-state actor known as APT28. Both countries disclosed that the attacks were carried out using a security flaw in Microsoft Outlook.

The Ministry of Foreign Affairs of the Czech Republic stated that various entities within the country had been targeted through the exploitation of a now-patched critical privilege escalation bug, CVE-2023-23397. The flaw allowed the threat actor to access Net-NTLMv2 hashes and utilize them for authentication through a relay attack. The ministry emphasized that cyber attacks against political entities, state institutions, and critical infrastructure not only pose a threat to national security but also disrupt democratic processes.

Meanwhile, Germany's Federal Government attributed the cyber attack to APT28, which targeted the Executive Committee of the Social Democratic Party. The same Outlook vulnerability was leveraged over a prolonged period, leading to the compromise of numerous email accounts. The country further implicated APT28 in the 2015 attack on the German federal parliament, Bundestag.

Logistics, armaments, the air and space industry, IT services, foundations, and associations in Germany, Ukraine, and Europe were among the industry verticals targeted in this campaign. The Bundesregierung, Germany's federal government, pointed out the connection between the cyber espionage activities and the APT28 group.

APT28, also known as BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, has been associated with the Russian Federation's military intelligence agency GRU's Military Unit 26165. The group has a documented history of engaging in malicious and disruptive behaviors. In January, Microsoft traced APT28's exploitation of a zero-day Windows vulnerability to deliver a customized malware called GooseEgg, affecting government and non-governmental organizations in Ukraine, Western Europe, and North America.

The condemnation from NATO came as it deemed Russia's hybrid actions, including cyber threats, as a threat to Allied security. The Council of the European Union also criticized Russia, highlighting its "continuous pattern of irresponsible behavior in cyberspace." The US Department of State described APT28 as engaging in destabilizing behavior and emphasized its commitment to upholding cyber security for allies and partners.

A recent coordinated law enforcement action disrupted a botnet comprising hundreds of small office and home office (SOHO) routers, which were believed to be used by APT28 to conceal their malicious activities. However, the cleanup of all affected routers was hindered by legal constraints and technical challenges. The botnet was found to consist not only of routers from Ubiquiti but also included other Linux-based routers, Raspberry Pi, and virtual private servers (VPS).

Cybersecurity experts have also warned of the severe risk posed by Russian state-sponsored cyber threat activities to upcoming elections in regions such as the US, the UK, and the EU. APT28, along with other groups such as APT44, COLDRIVER, KillNet, and APT29, have been cited as potential perpetrators of data theft, destructive attacks, DDoS campaigns, and influence operations.

Furthermore, a surge in DDoS attacks targeting Sweden has been observed following its acceptance into NATO, echoing the pattern witnessed during Finland's NATO accession. NETSCOUT has attributed these attacks to politically motivated groups supporting Russian ideals, including NoName057, Anonymous Sudan, Russian Cyber Army Team, and KillNet.

In light of continued attacks launched by pro-Russia hacktivists against industrial control systems (ICS) and small-scale operational technology (OT) systems, government agencies from Canada, the UK, and the US have released a joint fact sheet to aid in securing critical infrastructure organizations. These attacks have targeted sectors such as water and wastewater systems, dams, energy, and food and agriculture. The hacktivist groups have exploited publicly exposed internet-facing connections and factory default passwords associated with human machine interfaces (HMIs) prevalent in these environments.

Mitigation recommendations include strengthening HMIs, limiting internet exposure of OT systems, utilizing strong and unique passwords, and implementing multi-factor authentication for all access to the OT network.

The revelation of the APT28 cyber espionage campaign has sparked concerns about the threats posed by state-sponsored actors and their disruptive activities targeting critical infrastructure, democratic processes, and global security. Authorities and cybersecurity experts vow to remain vigilant and continue to devise strategies to counter these cyber threats effectively.