Ta422

TA422, also known under aliases APT28, Forest Blizzard, Pawn Storm, Fancy Bear, and BlueDelta, is a threat actor attributed by the United States Intelligence Community to the Russian General Staff Main Intelligence Directorate (GRU). Since March 2023, cybersecurity researchers at Proofpoint have observed TA422 exploiting patched vulnerabilities to target organizations in Europe and North America. The group has shown a consistent pattern of exploitation, leveraging platforms such as Mockbin and InfinityFree for URL redirection and using phishing emails to test code performance online. A significant deviation from expected volumes of emails sent in campaigns exploiting Microsoft Outlook elevation of privilege vulnerability (CVE-2023-23397) was noted, though it remains unclear whether this was a tactical decision or an operator error. TA422's approach has evolved over time, shifting from compiled malware to lighter-weight, credential-oriented access methods. This shift is reflected in the tactics and techniques used in their campaigns, which involve sending thousands of specially crafted emails that exploit vulnerabilities in popular software like Microsoft Outlook and WinRAR. For instance, TA422 exploited the Microsoft Outlook vulnerability CVE-2023-23397, which allows a remote, unauthenticated attacker to leak the targeted user's hashed Windows account password. Similarly, they exploited a WinRAR remote execution vulnerability (CVE-2023-38831), forcing Windows to execute malware disguised as a benign file. The group also uses innovative techniques such as directing traffic to an SMB listener hosted on a compromised router, a method previously employed by TA422. Despite these advanced tactics, the sheer quantity of emails sent - more than 10,000 since August 2023 - suggests possible operational errors. Regardless, TA422's evolving strategies and persistent targeting of various organizations underscore the serious threat it poses to global cybersecurity.