Kremlin-backed hackers attacking unpatched Outlook systems, Microsoft says

Hackers associated with Russia’s military intelligence are still actively exploiting a vulnerability in Microsoft software to gain access to victims’ emails, the company said Monday.

The threat actor, tracked by Microsoft as Forest Blizzard but also known as Fancy Bear or APT28, has been attempting to use the bug to gain unauthorized access to email accounts within Microsoft Exchange servers since as early as April 2022, researchers said in an update to a report from March.

The vulnerability is tracked as CVE-2023-23397, and it affects all versions of Microsoft Outlook software on Windows devices.

Microsoft patched the flaw in the spring after Russian hackers exploited it in attacks "against a limited number of organizations in government, transportation, energy, and military sectors in Europe."

“Users should ensure Microsoft Outlook is patched and kept up to date to mitigate this threat,” the researchers said.

Successful exploitation allows hackers to access victims’ email correspondence, according to the Polish Cyber Command, which partnered with Microsoft to investigate the attacks.

In the cases investigated by the Polish cybersecurity agency, hackers exploited the Outlook vulnerability to gain access to mailboxes containing “high-value information.”

An attack begins when a threat actor delivers a specially crafted message to a user, according to Microsoft. The user does not even need to interact with this message if Outlook on their Windows device is open. Exploitation of the flaw leaves very few forensic traces, making it hard to detect hacker activity.

Familiar APT

Fancy Bear, labeled by cybersecurity researchers as an advanced persistent threat (APT) group, primarily targets government, energy, transportation, and nongovernmental organizations in the U.S., Europe, and the Middle East. The group is linked to Russia’s military intelligence agency (GRU).

In October, France accused the group of targeting universities, businesses, think tanks and government agencies. In September, it attempted to attack a critical energy facility in Ukraine.

The hackers commonly exploit publicly available vulnerabilities. In addition to the Microsoft Outlook flaw, they also targeted a popular file archiver utility for Windows called WinRAR “to adapt spear-phishing operations against chiefly Ukrainian government targets.

According to Microsoft, the group is “well-resourced and well-trained,” which poses “long-term challenges to attribution and tracking its activities.”

Poland's Cyber Command said that the group possesses a high level of sophistication and in-depth knowledge of the architecture and mechanisms of the Microsoft Exchange mail system.