The European Union (EU), alongside the governments of member states Czechia and Germany and other partners including the UK, have condemned a campaign of cyber attacks perpetrated by the Russian intelligence-backed advanced persistent threat (APT) actor known as Fancy Bear – also known as APT28, Strontium and Forest Blizzard.
The announcement accompanies the publication of statements by both Berlin and Prague detailing, in the first instance, the compromise of various email accounts belonging to the German Social Democratic Party executive, and in the second, various government institutions.
The EU said bodies in other member states including Lithuania, Poland, Slovakia and Sweden have also been targeted by Fancy Bear, which was previously sanctioned by the EU over a cyber attack on the German Federal Parliament in 2015.
It said the malicious campaign showed a “continuous pattern of irresponsible behaviour in cyber space” by Russia, targeting democratic institutions, government entities and critical infrastructure across Europe, contrary to the UN norms of responsible state behaviour in cyber space, and with disregard to international security and stability.
“The EU will not tolerate such malicious behaviour, particularly activities that aim to degrade our critical infrastructure, weaken societal cohesion and influence democratic processes, mindful of this year’s elections in the EU and in more than 60 countries around the world,” said Brussels in a statement. “The EU and its member states will continue to cooperate with our international partners to promote an open, free, stable and secure cyber space. The EU is determined to make use of the full spectrum of measures to prevent, deter and respond to Russia’s malicious behaviour in cyber space.”
A spokesperson for the German government said: “Cyber attacks against political parties, state institutions and companies that provide critical infrastructure pose a threat to our democracy, our national security and our liberal-minded society.
“The Federal Government most strongly condemns the repeated and unacceptable malicious cyber activities by state-sponsored Russian actors and again calls on Russia to refrain from such behaviour. Germany is determined to work together with its European and international partners to counter such malicious cyber activities.”
The Czechian government added: “Cyber attacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based. Czech authorities will continue to take steps to strengthen the resilience of public institutions and the private sector.
“Czechia is deeply concerned by these repeated cyber attacks by state actors,” it said. “We are determined to respond strongly to this unacceptable behaviour together with our European and international partners.”
In both campaigns against Czechia and Germany, APT28 is understood to have exploited a vulnerability in Microsoft Outlook. This is likely to have been CVE-2023-23397, which was disclosed in the March 2023 Patch Tuesday update, and which Fancy Bear is known to have used in a great number of cyber attacks, possibly as long ago as 2022.
It has also been used against government bodies and organisations in fields such as energy production and distribution; pipeline operations; and materiel, personal and air transport.
The targeted countries were Bulgaria, Czechia, Italy, Jordan, Lithuania, Luxembourg, Montenegro, Poland, Romania, Slovakia, Türkiye, Ukraine, the UAE and the US, as well as the Nato High Readiness Force Headquarters, which are dispersed across Europe in the UK, France, Germany, Greece, Poland and Türkiye.
CVE-2023-23397, which is exploited by sending a specially crafted email to a potential target, is particularly dangerous because it is triggered on the email server side, which in layman’s terms means it can be exploited before the email is opened and viewed. It enables a threat actor to access the victim’s Net-NTLMv2 hash and use it to authenticate while pretending to be them, thus getting around authentication measures. It was first discovered by Ukrainian cyber authorities.
UK reaction
In the UK, Westminster was swift to join with the EU and affected countries in strongly condemning Fancy Bear’s actions.
“Today’s statements from our allies demonstrate the scale, persistence and seriousness of unacceptable Russian behaviours in cyber space,” said a spokesperson for the Foreign, Commonwealth and Development Office.
“Recent activity by Russian GRU cyber group APT28, including the targeting of the German Social Democratic Party executive, is the latest in a known pattern of behaviour by the Russian Intelligence Services to undermine democratic processes across the globe.
“On 7 December 2023, the UK exposed a series of attempts by the Russian Intelligence Services to target high-profile UK individuals and entities through cyber operations,” they said. “At the same time, we sanctioned two Russian nationals responsible for political interference.
“With multiple elections around the world in 2024, raising awareness of the threat to the UK and our international partners remains vitally important for our collective resilience. Today, as part of a broad coalition of allies, we are making clear to the Russian state that we will continue to identify, expose and respond to such unacceptable activity.”