Cyber Security News

Russian Hackers Exploiting Outlook Zero-day to Attack NATO Member Countries

Using a zero-day exploit in Microsoft Outlook (tracked as CVE-2023-23397), Fighting Ursa Aka APT28 targets at least 30 companies across 14 countries that are probably significant sources of strategic intelligence for the Russian government and military.

All 14 countries targeted in a total of three campaigns are institutions within NATO member countries, except those in Ukraine, Jordan, and the United Arab Emirates. 

These organizations included vital infrastructure and sources of information advantage in the domains of diplomacy, commerce, and military affairs.

The following target organizations were among them:

  • Energy production and distribution
  • Pipeline operations
  • Material, personnel, and air transportation
  • Ministries of Defense
  • Ministries of Foreign Affairs
  • Ministries of Internal Affairs
  • Ministries of the Economy

Zero-Day Exploit in Microsoft Outlook

With this vulnerability, Fighting Ursa conducted at least two campaigns that were made public. The first took place in March 2022, and the second took place in March 2023, between March and December 2022.

Researchers from Unit 42 have uncovered a third, current campaign in which Fighting Ursa exploited this vulnerability as well. The group’s most current effort, which targeted at least nine organizations across seven countries, was executed between September and October of 2023.

APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy, or Sednit are other names for Fighting Ursa, a group connected to Russian military intelligence that is well-known for focussing on targets of Russian interest, particularly those with military significance.

Russia’s military intelligence unit 26165, the 85th Special Service Centre (GTsSS) of the General Staff Main Intelligence Directorate (GRU), has been credited with fighting Ursa.

Fighting Ursa sent an email with the first known example of an exploit targeting the State Migration Service of Ukraine by leveraging the CVE-2023-23397 vulnerability, which at the time was a publicly unknown zero-day exploit.

CVE-2023-23397 is a vulnerability in the Windows Microsoft Outlook client that can be exploited by sending a specially crafted email that triggers when the Outlook client processes it. The exploit requires no user activity to be activated.

Malicious task request sent to Montenegrin Ministry of Defense account

“Successful exploitation of Microsoft Outlook using this vulnerability results in a relay attack using Windows (New Technology) NT LAN Manager (NTLM) as described in our threat brief for CVE-2023-23397”, researchers said.

For two main reasons, researchers link Fighting Ursa to the actions within these campaigns:

  • The Russian military appears to value the intelligence gathered from the targeted victims of these activities.
  • Similar to earlier Fighting Ursa efforts, all of the campaigns harvested NTLM authentication messages from victim networks by using co-opted Ubiquiti networking devices.


  • Pay attention to these attack strategies
  • Address this vulnerability
  • Set up endpoint security to prevent these kinds of malicious campaigns.
Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Palo Alto Networks PAN-OS Zero-day Under Active Attack

In a recent security alert, Palo Alto Networks has disclosed a critical vulnerability within its…

2 hours ago

DuckDuckGo Launches Privacy Pro : 3-In-1 Service With VPN

DuckDuckGo is a search engine that takes users' privacy seriously. It does not track or…

3 hours ago

Wiz to Acquire Gem Security for $350M to Address Cloud Security

Wiz, a leading cloud security company, has announced its acquisition of Gem Security for $350…

8 hours ago

Critical Bitdefender Vulnerabilities Let Attackers Gain Control Over System

Bitdefender GravityZone Update Server (versions 6.36.1, Endpoint Security for Linux, and Endpoint Security for…

8 hours ago

Ukrainian Hackers Hijacked 87,000 Sensors to Shut down Sewage System

Ukrainian hackers have successfully infiltrated and disabled a vast network of industrial sensors and monitoring…

9 hours ago

Zscaler Acquires Airgap Networks to Enhance Zero Trust SASE

Zscaler has announced the acquisition of Airgap Networks, a company renowned for its agentless segmentation…

11 hours ago