October 27th – Since 2021, the nation-state backed group known as APT28 (a.k.a ‘Strontium’ or ‘Fancy Bear’) has been linked to a series of breaches targeting French government entities, businesses, universities and think tanks.
Most recently, APT28 leveraged CVE-2023-38831, a remote code execution vulnerability in WinRAR, and a zero-day privilege elevation flaw in Microsoft Outlook to compromise organizations.
The hackers have been compromising peripheral devices on critical networks, and shifting away from the use of backdoors in the hopes of evading detection.
All of this information comes from the Agence Nationale de la securite des systems d’information (ANSSI), the French National Agency for the Security of Information Systems, which has analyzed APT28’s activities.
As an espionage-focused group of hackers, APT28 wants to access data and exfiltrate it for their own operational purposes.
ANSSI has tracked APT28 as it has retrieved authentication information using native utilities, and stolen emails containing sensitive information.
The command and control server (C2) for APT28 relies on legitimate cloud services, such as Microsoft OneDrive and Google Drive, making exchanges less likely to be flagged by traffic monitoring tools.
To avoid nation-state threats like the above, organizations are advised to take a comprehensive approach to security, with an emphasis on email security.
Regarding email security, ANSSI recommends:
- Ensuring the security and privacy of all email exchanges.
- Using secure exchange platforms, as to prevent email interceptions or hijacks.
- Minimizing the attack surface of webmail interfaces.
- Implementing robust capabilities that can pick up on malicious emails.
Lastly, to receive timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.