{ "id": "e0b4a883-b032-4713-a5f0-a7d154806d78", "created_at": "2026-04-06T01:30:37.064714Z", "updated_at": "2026-04-10T03:37:49.771767Z", "deleted_at": null, "sha1_hash": "197bb3dd36a76820d554f43ee4695bc49849907d", "title": "Fighting Ursa Aka APT28: Illuminating a Covert Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 315648, "plain_text": "Fighting Ursa Aka APT28: Illuminating a Covert Campaign\r\nBy Unit 42\r\nPublished: 2023-12-07 · Archived: 2026-04-06 00:26:54 UTC\r\nExecutive Summary\r\nEarly this year, Ukrainian cybersecurity researchers found Fighting Ursa leveraging a zero-day exploit in\r\nMicrosoft Outlook (now known as CVE-2023-23397). This vulnerability is especially concerning since it doesn’t\r\nrequire user interaction to exploit. Unit 42 researchers have observed this group using CVE-2023-23397 over the\r\npast 20 months to target at least 30 organizations within 14 nations that are of likely strategic intelligence value to\r\nthe Russian government and its military.\r\nDuring this time, Fighting Ursa conducted at least two campaigns with this vulnerability that have been made\r\npublic. The first occurred between March-December 2022 and the second occurred in March 2023.\r\nUnit 42 researchers discovered a third, recently active campaign in which Fighting Ursa also used this\r\nvulnerability. The group conducted this most recent campaign between September-October 2023, targeting at least\r\nnine organizations in seven nations.\r\nOf the 14 nations targeted throughout all three campaigns, all are organizations within NATO member countries,\r\nexcept for entities in Ukraine, Jordan and the United Arab Emirates. These organizations included critical\r\ninfrastructure and entities that provide an information advantage in diplomatic, economic and military affairs.\r\nTarget organizations included those related to:\r\nEnergy production and distribution\r\nPipeline operations\r\nMateriel, personnel and air transportation\r\nMinistries of Defense\r\nMinistries of Foreign Affairs\r\nMinistries of Internal Affairs\r\nMinistries of the Economy\r\nFighting Ursa (aka APT28, Fancy Bear, Strontium/Forest Blizzard, Pawn Storm, Sofacy or Sednit) is a group\r\nassociated with Russia’s military intelligence and they are well known for their focus on targets of Russian interest\r\n– especially those of military interest. Fighting Ursa has been attributed to Russia's General Staff Main\r\nIntelligence Directorate (GRU) 85th special Service Centre (GTsSS) military intelligence Unit 26165.\r\nWe are publishing this research to highlight Fighting Ursa using this vulnerability in multiple campaigns despite\r\ntheir tactics having been publicized by security industry research documenting this activity. High risk\r\norganizations and nations using Microsoft Outlook should patch CVE-2023-23397 immediately and ensure\r\nappropriate configuration to defend against future attacks.\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 1 of 6\n\nPalo Alto Networks customers receive protection with the following products against the types of threats\r\ndiscussed in this blog:\r\nCortex XDR\r\nAdvanced WildFire\r\nAdvanced URL Filtering\r\nAdvanced Threat Prevention\r\nAdvanced DNS Security subscription services for the Next-Generation Firewall\r\nOrganizations can engage the Unit 42 Incident Response team for specific assistance with this threat and\r\nothers\r\nRelated Unit 42 Topics Russia, Ukraine\r\nFighting Ursa APT Group\r\nAKAs\r\nAPT28, UAC-0001, Fancy Bear, Strontium / Forest Blizzard, Pawn Storm,\r\nSofacy, Sednit\r\nCVE-2023-23397: A Brief Overview\r\nPrior to the conflict in Ukraine, Fighting Ursa had established a reputation for its hacking in support of Russia’s\r\ninformation warfare operations. This support includes the following efforts:\r\nCountering Olympic anti-doping investigation narratives\r\nSubverting an investigation into the use of chemical agents in an assassination attempt by the GRU in\r\nGreat Britain\r\nInfluencing democratic election processes in the United States, France and Germany\r\nLess internationally well known are Fighting Ursa’s collective hacking campaigns in the lead-up to Russia’s\r\ninvasion of Ukraine through today.\r\nOn Feb. 24, 2022, Russia initiated a full-scale armed invasion of Ukraine. Three weeks later (March 18, 2022),\r\nFighting Ursa emailed the first known instance of an exploit using the CVE-2023-23397 vulnerability (which was\r\nthen a publicly undiscovered zero-day exploit) to target the State Migration Service of Ukraine.\r\nFighting Ursa continued to use this vulnerability as part of its targeting strategy even after Ukrainian cybersecurity\r\nresearchers discovered the exploit and Microsoft publicly attributed its use to “a Russia-based threat actor” on\r\nMarch 14, 2023, when issuing a patch for the vulnerability.\r\nOverall, Unit 42 researchers have observed three distinct Fighting Ursa campaigns associated with this CVE:\r\nZero-day campaign (Initial campaign prior to discovery): March 18-Dec. 29, 2022\r\nSecond campaign (post-identification of CVE): March 15-29, 2023\r\nThird campaign: Aug. 30-Oct. 11, 2023\r\nFigure 1 shows Fighting Ursa’s last observed attempt to use CVE-2023-23397 in a message sent to a Montenegrin\r\nMinistry of Defense account on Oct. 11, 2023. This message was sent from an account the actors had created on a\r\npublic mail service (portugalmail[.]pt).\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 2 of 6\n\nFigure 1. Malicious task request sent to Montenegrin Ministry of Defense account. SHA256\r\n4238c061102400fa27356266c6f677d1d7320f66f955a7f389eb24f10a49b53d.\r\nSuccessful exploitation of Microsoft Outlook using this vulnerability results in a relay attack using Windows\r\n(New Technology) NT LAN Manager (NTLM) as described in our threat brief for CVE-2023-23397.\r\nNTLM is a challenge-response style authentication protocol that is prone to relay attacks, so Kerberos has been\r\nthe default authentication protocol in Windows systems since Windows 2000. However, many Microsoft\r\napplications still use NTLM as a fallback protocol in cases where Kerberos is not feasible. Microsoft Outlook is\r\none such application.\r\nWhen a vulnerable or misconfigured Outlook application receives a specially crafted email exploiting CVE-2023-\r\n23397, Outlook sends an NTLM authentication message to an attacker-controlled remote file share. The NTLM\r\nauthentication response is an NTLMv2 hash that Fighting Ursa uses to impersonate the victim, accessing and\r\nmaneuvering within the victim's network. This is commonly known as an NTLM relay attack.\r\nUnit 42 researchers attribute the activities within these campaigns to Fighting Ursa for two primary reasons:\r\n1. The targeted victims in these campaigns are all of apparent intelligence value to the Russian military.\r\n2. The campaigns all used co-opted Ubiquiti networking devices to harvest NTLM authentication messages\r\nfrom victim networks, which is consistent with previous Fighting Ursa campaigns.\r\nVictimology: A Study in Russian Targeting Priorities\r\nDelving into more than 50 observed samples in which Fighting Ursa targeted victims with CVE-2023-23397\r\nprovides unique and informative insights into Russian military priorities during a time of international conflict for\r\nthem. Zero-day exploits by their nature are valuable commodities for APTs. Threat actors only use these exploits\r\nwhen the rewards associated with the access and intelligence gained outweigh the risk of public discovery of the\r\nexploit.\r\nUsing a zero-day exploit against a target indicates it is of significant value. It also suggests that existing access and\r\nintelligence for that target were insufficient at the time.\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 3 of 6\n\nIn the second and third campaigns, Fighting Ursa continued to use a publicly known exploit that was already\r\nattributed to them, without changing their techniques. This suggests that the access and intelligence generated by\r\nthese operations outweighed the ramifications of public outing and discovery.\r\nFor these reasons, the organizations targeted in all three campaigns were most likely a higher than normal priority\r\nfor Russian intelligence.\r\nThere are a few key takeaways when looking at the targets collectively, as shown in Figure 2:\r\n1. Other than Ukraine, all of the targeted European nations are current members of the North Atlantic Treaty\r\nOrganization (NATO)\r\n2. Attackers targeted at least one NATO Rapid Deployable Corps\r\n3. Outside of government organizations, attackers focused on targeting critical infrastructure-related\r\norganizations within the following sectors:\r\n1. Energy\r\n2. Transportation\r\n3. Telecommunications\r\n4. Information technology\r\n5. Military industrial base\r\nFigure 2. Observed targets of Fighting Ursa CVE-2023-23397 campaigns.\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 4 of 6\n\nConclusion\r\nIt is rare to have such a detailed understanding of an APT’s targeting priorities, especially an APT like Fighting\r\nUrsa whose mission mandate is to conduct attacks on behalf of Russia’s military.\r\nGovernments and critical infrastructure providers across NATO and European nations are encouraged to take the\r\nfollowing actions:\r\nTake note of these tactics\r\nPatch this vulnerability\r\nConfigure endpoint protections to block these types of malicious campaigns\r\nProtections and Mitigations\r\nCortex XDR customers who have Advanced API Monitoring enabled receive protection from exploitation\r\nattempts of CVE-2023-23397 using XDR Anti-Exploit protection.\r\nThe Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block\r\nthe attacks with best practices via the following Threat Prevention signature: 93635, 93705, 93584.\r\nMalicious URLs and IPs related to this activity are blocked by Advanced URL Filtering and DNS Security.\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\n5.199.162[.]132\r\n101.255.119[.]42\r\n181.209.99[.]204\r\n213.32.252[.]221\r\n168.205.200[.]55\r\n69.162.253[.]21\r\n185.132.17[.]160\r\n69.51.2[.]106\r\n113.160.234[.]229\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 5 of 6\n\n24.142.165[.]2\r\n85.195.206[.]7\r\n42.98.5[.]225\r\n61.14.68[.]33\r\n50.173.136[.]70\r\nAdditional Resources\r\nThreat Brief - CVE-2023-23397 - Microsoft Outlook Privilege Escalation - Unit 42, Palo Alto Networks\r\nCVE-2023-23397 Playbook of the week - Palo Alto Networks\r\nMicrosoft Outlook Elevation of Privilege Vulnerability: CVE-2023-23397 - Microsoft\r\nMicrosoft Mitigates Outlook Elevation of Privilege Vulnerability - Microsoft\r\nCampagnes d’attaques du mode opératoire APT28 depuis 2021 - CERT-France\r\nU.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation\r\nOperations - United States Department of Justice\r\nGrand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election -\r\nUnited States Department of Justice\r\nMacron campaign was target of cyber attacks by spy-linked group - Reuters\r\nFrom Espionage to Cyber Propaganda: Pawn Storm's Activities over the Past Two Years - Trend Micro\r\nSource: https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nhttps://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/russian-apt-fighting-ursa-exploits-cve-2023-233397/" ], "report_names": [ "russian-apt-fighting-ursa-exploits-cve-2023-233397" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439037, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/197bb3dd36a76820d554f43ee4695bc49849907d.pdf", "text": "https://archive.orkl.eu/197bb3dd36a76820d554f43ee4695bc49849907d.txt", "img": "https://archive.orkl.eu/197bb3dd36a76820d554f43ee4695bc49849907d.jpg" } }