Governance & Risk Management , Patch Management

Russian GRU Hackers Target Polish Outlook Inboxes

Military Intelligence Exploits Microsoft Flaw Patched In March
Russian GRU Hackers Target Polish Outlook Inboxes
Russian military intelligence hackers are exploiting unpatched Microsoft Outlook systems. (Image: Shutterstock)

Russian military intelligence hackers active in Poland are exploiting a patched flaw in Microsoft Outlook, said cyber defenders from Redmond and Warsaw.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Microsoft in a Monday post identified the hackers as Forest Blizzard, also known as APT28 and Fancy Bear.

U.S. and British intelligence have assessed that Forest Blizzard is "almost certainly" part of the Russian General Staff Main Intelligence Directorate, better known as the GRU.

Polish Cyber Command said on Sunday that it had detected "malicious actions against public and private entities."

Relations between Poland and Russia further deteriorated following the Kremlin's February 2022 invasion of Ukraine, and Poland acted as a staging ground for military aid and refugees. Former Russian President Dmitry Medvedev reportedly wrote on Sunday that Moscow considers Poland to be a "dangerous enemy" and warned that its actions could "could lead to the death of Polish statehood in its entirety."

The flaw, tracked as CVE-2023-23397, is a Microsoft Outlook elevation of privilege vulnerability that allows a remote, unauthenticated attacker to send a specially crafted email that leaks the targeted user's hashed Windows account password, allowing the attacker to authenticate into other systems. This type of attack is known as Pass the Hash. Attackers are also using password-spraying attacks to gain access, a technique in which hackers attempt to log onto multiple accounts with the same password.

Polish Cyber Command said the hackers modify the permissions of high-value hacked Outlook inboxes to make messages visible to other Exchange group users as a way of maintaining access should they lose direct access. Hackers also use the Outlook API, Microsoft Exchange Web Services, to exfiltrate the contents of those high-value inboxes.

Microsoft patched the flaw in March. Threat intel firm Mandiant at the time warned that GRU hackers had been exploiting the vulnerability for nearly a year, deploying it against government agencies and logistics, oil, defense and transportation industries located in Poland, Ukraine, Romania and Turkey (see: Microsoft Fixes Russia-Exploited Zero-Day).


About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.