Unit 42 Reveals Russian-Backed Threat Campaigns Targeting Critical Infrastructure
December 2023 by Unit 42/Palo Alto Networks
Palo Alto Networks’ Unit 42 issued research that reveals new evidence and insight on the ongoing efforts of Russian-backed threat actor Fighting Ursa (aka APT28 / Fancy Bear). The research outlines findings on three APT campaigns over the past 20 months that have targeted at least 30 organisations within 14 nations, offering strategic intelligence value to the Russian government and its military.
The new Unit 42 Research highlights that throughout all 3 campaigns, organisations included critical infrastructure sectors and entities that provide an information advantage in diplomatic, economic, and military affairs. Highlights include:
• Target organisations within NATO member countries, except for entities in Ukraine, Jordan, and the United Arab Emirates.
• Targeting critical sectors targeted include energy, transportation, telecommunications, IT, and military industrial base.
• Each campaign exploited a vulnerability in Windows Microsoft Outlook called CVE-2023-23397, which launched NTLM relay attacks on victims. They continue to use this vulnerability even though their activity has been exposed multiple times.
• This vulnerability is especially concerning since it doesn’t require user interaction to exploit it.