Russian state-sponsored actors mounted NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets around the world.
The attacks, attributed to an “aggressive” hacker team, called APT28they set their sights on organizations dealing with foreign affairs, energy, defense and transport, as well as those involved in work, social care, finance, parenting and local city councils.
Cybersecurity firm Trend Micro assessed these intrusions as a “cost-effective method of automating brute force cracking attempts into the networks” of its targets, noting that the attacker may have compromised thousands of email accounts over time.
APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
The group, believed to have been active since at least 2009, is run by Russia’s GRU military intelligence service and has a proven track record of orchestrating spear-phishing attacks containing malicious attachments or strategic web compromises to trigger infection chains.
In April 2023, APT28 was implicated in attacks that exploited now-patched flaws in Cisco’s network equipment to conduct reconnaissance and deploy malware against selected targets.
The nation-state actor came under the spotlight in December for exploiting a privilege escalation flaw in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) and WinRAR (CVE-2023-38831 , CVSS score: 7.8) to access a user’s Net-NTLMv2 hash and use it to mount an NTLM Relay attack against another service to authenticate as a user.
An exploit for CVE-2023-23397 is said to have been used to target Ukrainian entities as early as April 2022, according to a March 2023 advisory from CERT-EU.
It has also been observed exploiting lures related to the ongoing war between Israel and Hamas to facilitate the distribution of a custom backdoor called HeadLace, as well as targeting Ukrainian government entities and Polish organizations with phishing messages designed to deploy backdoors and information stealers such as OCEANMAP , MASEPIE and STEEL HOOK.
One of the significant aspects of threat actors’ attacks is their continuous attempt to improve their operational program by refining and modifying their approaches to evade detection.
This includes adding layers of anonymization such as VPN services, Tor, data center IP addresses, and compromised EdgeOS routers to perform scanning and probing tasks. Another tactic involves sending spear phishing messages from compromised email accounts via Tor or VPN.
“Pawn Storm also uses EdgeOS routers to send spear-phishing emails, perform callbacks of CVE-2023-23397 exploits in Outlook, and proxy credential theft on credential phishing websites,” said security researchers Feike Hacquebord and Fernando Merces.
“Part of the group’s post-exploitation activities involve changing the permissions of folders within the victim’s inbox, leading to increased persistence,” the researchers said. “Using the victim’s email accounts, lateral movement is possible by sending additional malicious emails from within the victim’s organization.”
It is currently unknown whether the threat actor has hacked these routers or is using routers already compromised by a third-party actor. That said, it is estimated that no fewer than 100 EdgeOS routers have been infected.
Additionally, recent credential harvesting campaigns against European governments have used fake login pages that mimic Microsoft Outlook and are hosted on webhooks[.]Site URL, a template previously attributed to the group.
An October 2022 phishing campaign, however, singled out embassies and other high-profile entities to provide a “simple” email information stealer that captured files matching specific extensions and extracted them to a free file-sharing service named Keep.sh.
“The volume of repetitive, often crude and aggressive campaigns drowns out the silence, subtlety, and complexity of the initial intrusion, as well as the post-exploitation actions that may occur once Pawn Storm takes hold in victim organizations,” the researchers said.
The development comes as Recorded Future News revealed an ongoing hacking campaign undertaken by Russian actor COLDRIVER (aka Calisto, Iron Frontier or Star Blizzard) impersonating researchers and academics to redirect potential victims to credential harvesting pages.