Germany points finger at Fancy Bear for widespread 2023 hacks, DDoS attacks

Also: Microsoft promises to git gud on cybersecurity; unqualified attackers are targeting your water systems, and more

Infosec in brief It was just around a year ago that a spate of allegedly Russian-orchestrated cyberattacks hit government agencies in Germany, and now German officials claim to know for a fact who did it: APT28, or Fancy Bear, a Russian threat actor linked to the GRU intelligence service.

According to German officials, Fancy Bear was behind widespread hacks targeting German infrastructure, government and private industry in response to the country's plan to send tanks to Ukraine. Germany has claimed the attacks were largely ineffective.

The same campaign also targeted the offices of the center-left Social Democratic Party of Germany.

Regardless, the confirmation of the attack serves as evidence of ongoing cyberattacks waged by Russia against its enemies that German foreign minister Annalena Baerbock said can't be allowed to continue. 

"It was a state-sponsored Russian cyber attack on Germany, and this is absolutely intolerable and unacceptable and will have consequences," Baerbock told reporters at a news conference. 

The US joined the condemnation of Russian cyberattacks after Germany shared news that APT28 was behind last year's campaign, saying it backs Germany's attribution of the attacks to the Russian crew. 

"The US Department of Justice has worked with Germany to remediate a network of hundreds of small office/home office routers that APT28 was using to conceal and carry out malicious activity, including the exploitation of CVE-2023-23397 against targets in Germany," the US State Department declared. "The DOJ action further blocked the GRU from regaining access to remediated devices."

APT28 has waged a number of high-profile attacks over the years, like the creation of NotPetya, a hack on the World Anti-Doping Agency, widespread abuse of Cisco exploits and plenty of attacks on Ukraine since Russia's illegal invasion of the country in 2022. 

Critical vulnerabilities of the week

Not too much to report, but still a few critical IOT vulnerabilities that need addressing: 

  • CVSS 9.8 – Multiple CVEs: CyberPower PowerPanel business management software versions 4.9.0 and prior contain a whole host of vulnerabilities that could give an attacker control over affected systems.
  • CVSS 9.3 – Multiple CVEs: Delta Electronics DIAEnergie industrial energy management system software is vulnerable to SQL injection and path traversal.
  • CVSS 8.7 – CVE-2024-1480: Several models of Unitronics Vision Legacy series PLCs are storing passwords in a recoverable format, making it easy for attackers to gain access.
  • CVSS 8.5 – CVE-2024-4192: Delta Electronics CNCSoft-G2 HMI software is vulnerable to a stack-based buffer overflow attack.

Microsoft pledges to do better about security

We've published no shortage of stories recently highlighting the seeming worry that is the state of cybersecurity at Microsoft, and we're hardly the only ones criticizing. Something appears to have stuck, as Microsoft EVP of security Charlie Bell wants everyone to know how central security is to the Windows maker.

"We are making security our top priority at Microsoft, above all else – over all other features," Bell wrote in a blog post on Friday. 

This isn't the first time Microsoft has done this. In 2002, with XP, IE and other Microsoft products getting regularly and severely pwned, Bill Gates wrote his infamous Trustworthy Computing memo, refocusing design teams to bake security into their products from the get go.

As part of the commitment to security systems, Bell claimed Microsoft is leaning in on its Secure Future Initiative and defining six security pillars to guide its work: To protect identities and secrets; Protect tenants and isolate production systems; Protect networks; Protect engineering systems; Monitor and detect threats; and Accelerate response and remediation. 

Those are some pretty high-level goals, and talk is cheap, Charlie. Let's see some action. 

Ancient D-Link routers being targeted by botnet

Before you keep reading, go take a look at your router. It's not a D-Link DIR-645, is it? If not, feel free to skip this next bit. If it is – time to ditch that ancient piece of junk. 

The 12-year old DIR-645, provided it's running firmware versions prior to and including 1.04b12, contains an almost-as-old vulnerability – CVE-2015-2051 – that allows an attacker to execute arbitrary commands via the GetDeviceSettings action in the HNAP protocol. 

Someone aware of the vulnerability – and the general public's penchant for not upgrading end-of-life technology – is using it to deploy a new botnet, security shop Fortinet recently discovered.

According to Fortinet the botnet, which it's dubbed "Goldoon," appears to be designed for little other than carrying out additional attacks. Nonetheless, consider this a warning about old technology: if it's vulnerable, someone will always try to find a way to exploit it. 

Warning: Water systems hacks are trickling down

Russian hackers caught last month trying to attack water plants in the US and Europe have apparently inspired enough of a copycat movement that governments are warning of a widespread – but easy-to-counter – campaign.  

A group of 11 international government agencies issued a joint statement on the threats to water systems this week, warning that pro-Russian hacktivists appear to be trying to exploit systems at water and wastewater systems facilities and other critical infrastructure. 

Unlike some of the more sophisticated attackers, these ones appear to be going for "the easier the better" when seeking targets. 

"Pro-Russia hacktivist activity against these sectors appears mostly limited to unsophisticated techniques that manipulate ICS equipment to create nuisance effects," the statement noted, "via a combination of exploiting publicly exposed internet-facing connections and outdated VNC software, as well as using the HMIs' factory default passwords and weak passwords without multifactor authentication." 

In other words, consider this a warning to ensure your systems are safe before someone skilled decides to take a crack at them. ®

More about


Send us news

Other stories you might like