This post is also available in: עברית (Hebrew)
Microsoft Outlook was reportedly targeted over 10,000 times this summer by a single threat actor, which is believed to be aligned with Russia.
Cybersecurity company Proofpoint recently unveiled its research announcing that a group they call TA422 (or Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta) was seen attempting daily hacking into the same accounts. It seems that this is a continuation of an earlier campaign by TA422 against various organizations in Europe and North America. US intelligence links the group to its Russian counterpart, the GRU.
According to Cybernews, this recent campaign is different than its predecessors by sheer scale, with Proofpoint stating it observed a significant deviation from expected volumes of emails sent in campaigns exploiting a Microsoft Outlook vulnerability. Proofpoint reports observing thousands of emails being sent from a single email provider to defense, aerospace, technology, government, and manufacturing targets, with smaller volumes aimed at higher education, construction, and consulting.
“Our researchers initially observed small numbers of emails attempting to exploit this vulnerability,” Proofpoint reports. “The first surge in activity caught our attention partly due to all the emails pointing to the same listener server, but mostly due to the volume.”
Much larger than typical nation-state espionage attacks on its radar, Proofpoint said it observed over 10,000 repeated attempts to exploit the Microsoft Outlook vulnerability, targeting the same accounts daily during the late summer. The cybersecurity company believes TA422 took a wider approach to try to get access to the targeted systems by repeatedly casting its net as widely as possible.
Nevertheless, the Proofpoint analysts are unsure whether this was an informed effort to collect target credentials, or why exactly the threat group was retargeting entities in the higher education and manufacturing sectors (which it had already attacked during the previous campaign).
According to available data, Proofpoint suspects that the threat actor attempted broad, lower-effort campaigns regularly to try and gain access. Cybernews reports that Microsoft has issued a patch and warning to all its users, urging them to update their systems as soon as possible.