Russian GRU Hackers Compromised German, Czech Targets

Summary: This content discusses a cyberwarfare and nation-state attack carried out by APT28, targeting political parties and critical infrastructure in Germany and the Czech Republic.

Threat Actor: APT28 | APT28
Victim: German and Czech governments | German and Czech governments

Key Point :

  • The German and Czech governments have revealed that Russian military intelligence hackers, known as APT28, conducted a cyber espionage campaign targeting political parties and critical infrastructure.

Cyberwarfare / Nation-State Attacks
Fraud Management & Cybercrime

APT28 Used Microsoft Outlook Zero-Day, Governments Said

Russian GRU Hackers Compromised German, Czech Targets
The German and Czech governments disclosed a Russian military intelligence hacking campaign. (Image: Shutterstock)

The German and Czech governments on Friday disclosed that Russian military intelligence hackers targeted political parties and critical infrastructure as part of an espionage campaign that began last year.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

In a rare public disclosure on Friday, the Federal Ministry of the Interior and Community attributed a cyber campaign that targeted the members of the German Social Democratic Party to a hacking unit of the Russian General Staff Main Intelligence Directorate, better known as the GRU. The threat actor is tracked under the monikers APT28, Fancy Bear, Strontium, and Forest Blizzard.

The German ministry, known as BMI for its German acronym, said Russian hackers used an unidentified zero-day vulnerability in Microsoft Outlook. In addition to politicians, the group targeted IT networks of government offices, especially in the energy supply sector, and private companies working in the logistics, armaments, aerospace and IT services in the country, the agency said.

“The federal government considers the cyberattack on the government party SPD as a serious encroachment on democratic structures,” the ministry said. “The attacks are a focal point of the attacks concerning Russia’s war of aggression in violation contrary to international law.”

On Friday, the Czech Republic government acknowledged the group was behind attacks on its critical infrastructure and organizations using the Outlook zero-day that began in 2023.

Following the recent disclosure, the German Foreign Ministry summoned a top Russian envoy. On Friday, the European Union and NATO condemned the attacks on the European countries and urged Moscow to abide by international obligations. The U.S. Department of State said Thursday in a statement that it “strongly condemns” the hacks.

“The malicious cyber campaign shows Russia’s continuous pattern of irresponsible behavior in cyberspace. The EU will not tolerate such malicious behavior,” the EU said in a statement.

NATO said the APT28 activities included sabotage, cyber and electronic interference, and campaigns that recently affected Estonia, Lithuania, Poland, Slovakia and Sweden (see: Moscow Military Hackers Used Microsoft Outlook Vulnerability).

Neither the German nor Czech governments disclosed the details of the Outlook vulnerability exploited by the group. U.S. intelligence agencies in February said APT28 likely carried out attacks against other central European governments by exploiting a flaw Microsoft patched in March 2023. The vulnerability, tracked as CVE-2023-23397, allowed hackers to trigger Windows into transmitting hashed passwords by sending a backdated Microsoft Outlook appointment request containing a parameter for the sound the email client should play when the appointment is overdue.

John Hultquist, chief analyst at Google Mandiant, said the latest activities of the group indicate it is “not limited to any one party or country.”

“This is a reminder that Western politicians with geopolitical insight are a prime target for espionage. With several upcoming elections, politicians and parties everywhere should be on alert,” Hultquist said.

Microsoft did not immediately respond to a request for comment.


“An interesting youtube video that may be related to the article above”