Over the the past month, APT28, also known as Fancy Bear, was reported to be using NTLM relay attacks to target high-value organizations globally. This Russian state-sponsored group, tied to the GRU’s Unit 26165, focused on sectors including foreign affairs, energy, defense, and finance. The attacks exploited weaknesses in the NTLM authentication protocol to harvest credentials and infiltrate networks. This campaign, documented by Trend Micro and others, ran from April 2022 to November 2023, with details emerging in early 2024.
APT28’s method involved compromising an initial system, often through phishing or watering hole attacks. Once inside, they leveraged NTLM relay techniques to capture Net-NTLMv2 hashes. These hashes were then used to authenticate to other systems, escalating privileges and accessing sensitive data. The group exploited vulnerabilities like CVE-2023-23397 (Microsoft Outlook privilege escalation) and CVE-2023-38831 (WinRAR code execution) to trigger NTLM authentication requests to attacker-controlled servers. They layered anonymization through compromised EdgeOS routers, VPNs, and data center IPs to cover their tracks.
The targets were predictable: government agencies, critical infrastructure, and financial institutions. Trend Micro noted thousands of email accounts potentially compromised over the campaign’s duration. The February 2, 2024, report from The Hacker News confirmed APT28’s focus on automating brute-force network intrusions, a cost-efficient tactic for a group with a long espionage resume. Data stolen included intellectual property and operational records, with national security implications for affected entities.
On February 15, 2024, the U.S. Department of Justice disrupted an APT28 botnet of Ubiquiti routers used for spear-phishing and credential harvesting. This takedown, detailed by Flashpoint, hit infrastructure likely tied to these NTLM relay efforts. Despite this, APT28’s adaptability—honed since their 2008 debut—suggests they’ve already pivoted. Their history (supposedly) includes the 2016 DNC hack and the 2017 NotPetya attack, so this isn’t their first rodeo.
Fancy Bear’s out here proving NTLM’s the cybersecurity equivalent of a screen door on a submarine—patch it or drown, folks. Defenses exist but require effort. Disabling NTLM where possible, enforcing multi-factor authentication, and segmenting networks limit damage. Patching systems for known exploits like CVE-2023-23397 is non-negotiable—yet many still lag, because who doesn’t love a good zero-day surprise?
The campaign’s scale and persistence reflect APT28’s resources and strategic goals, likely aligned with Russian military intelligence priorities. They’re not subtle—Trend Micro called their tactics “crude and aggressive”—but subtlety’s overrated when you’ve got state backing and a knack for exploiting human laziness. Hey, APT28, maybe send a phishing email that doesn’t scream ‘I’m a Kremlin intern’ next time.
This incident underscores a broader 2024 trend which I completely see growing going into 2025 and beyond: APTs doubling down on old protocols with new tricks. Most infrastructure stays the same for decades, but various applications are built on it. Organizations hit included those in Europe, the Americas, and Asia, per X posts. Mitigation requires diligence—monitor NTLM traffic, enforce signing on SMB/LDAP, and pray your staff don’t click the bait. APT28’s not slowing down; they’re just warming up for the next hash grab. “Sleep tight, sysadmins—Fancy Bear’s got your credentials on speed dial.”