cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations

Ukraine, the United Arab Emirates, and Jordan are also among 14 targeted nations, according to security researchers.

user icon David Hollingworth
Mon, 11 Dec 2023
Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations
expand image

A hacking group with ties to Russian military intelligence has been observed taking advantage of a zero-day vulnerability in Microsoft Outlook to target a raft of NATO nations and partners.

Researchers at Palo Alto’s Unit 42 have spotted the hacking group Fighting Ursa – also known as Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, Sednit, or simply APT28 – using the Outlook vulnerability in three distinct campaigns.

The most recent campaign took place between September and October 2023. The other campaigns date back to between March and December 2022 and March 2023.


The issue has since been patched, but Fighting Ursa has continued to make use of the exploit regardless.

The exploit takes advantage of the Windows (New Technology) NT LAN Manager, which is a “challenge-response style authentication protocol”. In Outlook, it’s used as a backup to the Kerberos protocol. When Outlook receives a specifically crafted email aimed at exploiting the flaw, it sends an NTLM authentication message to the attacker’s file share, which, in turn, can be used to impersonate a legitimate user.

The targeted nations are all eastern European NATO members or partners, such as Ukraine and the United Arab Emirates. On at least one occasion, the threat actor targeted a NATO Rapid Deployable Corps directly, and in each case, Fighting Ursa has used the same readily identifiable tactics, making it easier to attribute.

“In the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already attributed to them, without changing their techniques,” Unit 42 said in a blog post. “This suggests that the access and intelligence generated by these operations outweighed the ramifications of public outing and discovery.”

The threat actor has been seen to target organisations within critical infrastructure sectors such as energy and transportation, as well as government agencies, including defence ministries, postal services, and foreign affairs departments.

“It is rare to have such a detailed understanding of an APT’s targeting priorities, especially an APT like Fighting Ursa whose mission mandate is to conduct attacks on behalf of Russia’s military,” Unit 42 said.

Before Russia’s illegal invasion of Ukraine in 2022, Fighting Ursa was best known for supporting Russian information warfare campaigns, including attempting to create counter-narratives around Russian Olympic doping and subverting investigations into the poisoning of a pair of Russian nationals in England in 2018.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.