Between April and December 2022, the NATO Rapid Deployable Corps, a NATO force that can be quickly deployed to command NATO forces, was targeted by Russian state-sponsored hackers.
This is according to cybersecurity researchers Unit 42, a security division of Palo Alto Networks, who noted that the hackers were looking for sensitive data and other valuable information.
A few weeks after the invasion of Ukraine, a threat actor known as APT28 (AKA Fancy Bear, Fighting Ursa) began exploiting a zero-day vulnerability in Microsoft Outlook to attack the State Migration Service of Ukraine with malware. A month later, Unit 42 says, it used the same vulnerability – tracked as CVE-2023-23397, in more campaigns. In total, networks of approximately fifteen government, military, energy and transport organizations across Europe were targeted. The Russians were looking for military intelligence emails that could help the country's war effort.
NATO members are under attack
When Microsoft fixed the bug a year later, APT28 was already deep enough, had acquired enough credentials, and built up enough staying power to continue. It expanded its campaign in May this year, when it began exploiting a separate flaw, tracked as CVE-2023-29324.
Now Unit 42 claims that all affected countries are NATO members, and in one case even the NATO Rapid Deployable Corps was a target.
“The use of a zero-day exploit against a target indicates that this is of great value. It also suggests that existing access and intelligence for that target at the time was insufficient,” Unit 42 said. “In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit already attributed to them, without changing their techniques . This suggests that the access and intelligence generated by these operations outweighed the impact of public outings and discoveries.”
“For these reasons, the organizations targeted by all three campaigns were most likely a higher than normal priority for Russian intelligence.”
Through BleepingComputer