Research Saturday 12.16.23
Ep 310 | 12.16.23

Shedding light on Fighting Ursa.


Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner. And this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. Today on Research Saturday, our Threat Vector host David Moulton is bringing us an exclusive interview with Unit 42's Michael Sikorski to discuss Russian APT Fighting Ursa, otherwise known as APT28, a group linked to Russia's military intelligence, exploiting a previously unknown vulnerability in Microsoft Outlook. The conversation focuses on the intricacies of these campaigns, the nature of the targeted organizations, and the broader implications of such a pervasive cyberthreat.

David Moulton: I'm here with Mike "Siko" Sikorski, the CTO and VP of engineering for Unit 42 to talk about new threat intelligence on Fighting Ursa, AKA APT28, a group associated with Russia's military intelligence. And how they're exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries like Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. Siko, thanks for joining me today. The Unit 42 team has been busy lately publishing a lot on APTs, and today I wanted to talk to you about the Russian ATP Fighting Ursa and the covert campaign that our researchers uncovered. First, give our listeners a snapshot of Fighting Ursa.

Michael Sikorski: Yes. So Fighting Ursa, they're also -- that's what we call them. Others also call them ATP28 as well as Fancy Bear. And they are well-known for their focus on targets of Russian interest. And they've been attributed specifically to Russians -- Russia's General Staff Main Intelligence Directorate, also known as the GRU, and that's a military intelligence unit within the government there.

David Moulton: One of the things that the team published on was CVE-2023-23397. And I want to know, why is that CVE, that vulnerability, so significant?

Michael Sikorski: Yeah, so this vulnerability was in Microsoft's Outlook product. And we actually observed this group using this vulnerability over a long period of time -- the past 20 months, in fact -- to target several different entities and nations of strategic value to Russia. And the fact that it was so long, it was before it was actually patched by Microsoft. So they had this while it was a zero-day, they were leveraging it. Then it was discovered and subsequently patched by Microsoft, and then shipped out as a patch, and furthermore, they still continued to leverage this vulnerability long into the future, which shows you that not everybody has made the patches that they need to in their software. Now, getting into the technical details on this vulnerability in Outlook, it is a privilege escalation vulnerability. And the really -- I think the most concerning aspect of the vulnerability is that exploitation does not require any sort of user interaction at all. In fact, what it does is it sends you a meeting invite, and then when that meeting invite eventually, you know, comes to be and it actually, you know, triggers an alert to, you know -- you know, the normal ding you get when you have a calendar reminder. That's when the actual exploitation takes place. And it ends up causing a leakage of, you know, hashes that are called NTLM hashes that can be leveraged by an attacker to get privileges that they don't actually have. Also, the scary part of this is it typically is happening inside someone's network. So this is happening, you know, either local on someone's computer or on the place where they're doing email, and it's hard to tell if somebody is vulnerable to this from the outside. So it's more about, you know, are they patched or not on the inside. And clearly, not enough people have made the patches here.

David Moulton: Can you talk about the types of organizations or countries that were targeted by Fighting Ursa and why?

Michael Sikorski: So they've been targeting organizations, NATO organizations, and other nations, as well. Obviously, Ukraine is one of them. But then they actually are also targeting members of NATO. And the attackers targeted at least one NATO country, and also outside of the government organizations they focused very much on targeting critical infrastructure-related organizations with ties to energy, transportation, telecommunications, and anything in the military-industrial base. You know, targeted organizations within those countries, we're talking ministries of defense, ministries of foreign affairs, ministries of the economy, and then even pipeline operations and energy production, as well.

David Moulton: Given the targets, how dangerous is a no-touch exploit like this?

Michael Sikorski: It's pretty scary, right? The ability to compromise somebody with a simple calendar invite is why this is such a critical vulnerability. I mentioned that this vulnerability can be leveraged to get somebody's credentials, right, and you get their access. But what that also enables you to do means that you then have access to somebody's inbox. What can you do from there? Well, then you can further spread this same vulnerability to others within the organization. And right now, most of the attacks are going to be coming from an email address outside your organization in order to trigger that calendar invite inside your organization. However, if somebody gets access inside and onto your -- you know, somebody's email account, they could then send invites all over the company from that person, which gives it a lot more likelihood that, you know, it gets undetected. And then they can use that to leverage and compromise people throughout the entire organization. In other words, all they need to do is be successful with one of these exploits in your network and then they could leverage that to cause a much more massive compromise and get more higher value targets across your company.

David Moulton: How can organizations protect themselves against something that sounds so sophisticated?

Michael Sikorski: Well, number one, there's a patch app. So the first thing you need to do is upgrade your devices. Upgrade your Outlook, patch your -- everything that you have that's -- that's Microsoft for mail here and you'll be good -- good to go. That's the first step. The other thing you can do is make sure that you have things in place. For example, you know, when are you accepting meeting invites from outside the network? And, you know, can you detect this otherwise, right? And there are detections that we have put in place in our security products that we'll realize that -- that this is coming in and looking the way it does. Where, you know, there is an actual signature to be able to detect this type of attack, as well. So a combination of patching and a combination of looking for evidence that this was in your network I think is another good thing. For example, can you historically go through the inboxes on your network to see if maybe somebody was infected with this earlier in time, and then make sure that, you know, if it did, you actually open up an investigation and see if anything else has happened on your network?

Dave Bittner: Stick around. We'll be right back.

David Moulton: What about limiting the lateral movement if the attack is successful?

Michael Sikorski: Yeah, it's all about defense in depth, right? So, you know, I always like to reference another Russian attack which was SolarWinds. In that case, it was ATP29, a slightly different group within the Russian government. However, they did -- when they did SolarWinds, you know, it was catchable by everybody. Even though it was a great backdoor into networks, the pivot from that fancy supply chain backdoor to start moving laterally across the network was something everybody could have detected. It resulted in malware dropped on the system and even -- even activity on the network that could have been detected. So there was a lot of misses when it comes to these things that aren't just the initial, you know, scary attack. In this case, a zero-day vulnerability in Outlook. In SolarWinds' case, a supply chain attack. Those things are hard to protect against -- you know, protect against. Like, you know, having zero-day protection at all times, having supply chain protection at all times is not necessarily realistic, right? And people also have priorities on how fast they can patch these things even when there is a patch released. And that's why defense in depth is really important, because you want to catch the lateral movement, the other activity they're doing on the network, and really figure that out as quick as possible because it's almost -- it's really difficult to protect against all these different types of attacks, especially zero-days and supply chain.

David Moulton: What lessons can be learned by the handling of this vulnerability by the various stakeholders?

Michael Sikorski: I think the big thing is that it's still being leveraged by Fighting Ursa to have success at compromising organizations, which means that we're still behind the curve when it comes to -- you know, this isn't a zero-day anymore, and yet they're still using it, which means they're still having success with it. Because they would have pivoted to something else, right? If you have a zero-day, that's -- that's amazing for them, right, as an attacker. You can leverage that, it's not patched, everybody is sitting ducks. But even after a patch has gone out, they've spent a lot of time still using it, which means that it's still successful. And who knows how much longer it will be. And therefore, it's -- you know, it's a lesson in -- we're still not well-prioritizing the rapid speed at which we're patching things. And so, you know, that's -- you know, that's the lesson here.

David Moulton: Siko, what are the implications of these cyberattacks for NATO member countries?

Michael Sikorski: I think all the NATO countries, you know, they're -- we've actually discovered research earlier in the year from Russia where they were targeting the embassies and missions within Ukraine. This is a very similar scenario here, where they're taking a look at the NATO countries who might be interacting in the region and are participating or aiding Ukraine, and making sure they get their hooks in as many different places as they can so that they can have the best outcome possible for themselves in that war. So, you know -- therefore, as a NATO member country, you've got to assume that groups like Fighting Ursa are coming after you, and already have come after you. And therefore it's really important to kind of -- not just patch, but to actually go back and hunt and look through and make sure that they're not currently in your network.

David Moulton: What future trends might we expect in state-sponsored cyberwarfare and intelligence gathering?

Michael Sikorski: Yeah, I think the two biggest areas that I would focus on in that regard is insider threat. Something that we're seeing, you know, other nation states leverage or have leveraged for quite some time is the insider threat capability, right, where they embed somebody in an organization and leverage that to be able to conduct espionage or otherwise. And then the other is the supply chain. I think we've already seen Russia have success with SolarWinds, right? Unfortunately for them, they lost that capability going into the war in Ukraine, but it's not farfetched that other nation-states are trying their best to mount or build up another supply chain attack of a similar scale. So those are two of the areas that I would really see as a growing concern. And, therefore, you know, focusing on -- you can't really monitor those things at the perfect level, right? You can't see every single thing your employees are doing. You can't look at every single line of code of the supply chain coming into your network. All that software that you're installing. It's unrealistic to kind of go through it all to find the few lines of code that are actually the backdoor for a nation-state threat. And, instead, you really have to focus on what are the things you can do. Well, you could monitor, you can defense in depth, you could apply zero trust, you could sift through alerts better using artificial intelligence. And so those are the types of areas that I see it going.

David Moulton: Mike, last question before I let you go. Given the targeting of industrial systems, what is the likelihood of real-world damage or disruption?

Michael Sikorski: I think it's possible. I mean, I think that Russia was turning the lights off in Ukraine well before this war happened. In fact, they used it as sort of a playground to do things like that. And I think there's still some surprise in the world that, hey, the lights haven't gone off there, or worldwide, to an extent that we really thought would happen if they unleashed the full capability they have. Especially seeing -- seeing the capability they had first-hand going into Ukraine, right, with SolarWinds. If they had a capability like that, what is -- what is the full -- full magnitude that they could? So, you know, the fact that they are targeting industrial control systems, energy plants, you name it, to be able to -- with this attack, with this vulnerability, I think it's possible. And I know that there is a lot of growing concern for that, but the fact that we haven't seen it yet is somewhat a surprise relative to how much we've seen targeted.

David Moulton: Siko, thanks for going deeper on the threat intel Unit 42 published on Fighting Ursa with the Research Saturday audience. We'll be following up on this research and quite a bit of other research that your team has published out on the Unit 42 Threat Research Center on Threat Vector. If you're interested in reading the full brief Siko discussed today, go to unit42.paloaltonetworks and look for Fighting Ursa AKA APT28 - Illuminating A Covert Campaign.

Dave Bittner: That's Mike "Siko" Sikorski. He was interviewed by David Moulton, host of the Threat Vector segment which you can hear every other Thursday on the CyberWire Daily podcast. We hope you will check that out. The CyberWire Research Saturday podcast is a production of N2K Networks. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin. With mixing by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.