Microsoft researchers uncovered a new tool in the Russian state hackers’ arsenal that helped them gain elevated access, pilfer credentials and allowed lateral movement within compromised networks - the malicious software GooseEgg, exclusively used by a group known as Forest Blizzard, closely associated with the GRU, the Cyber Express reports.

Forrest Blizzard (also known as APT28, Fancy Bear, Pawn Storm, Sofacy Group, Strontium, Tsar Team, and Iron Twilight) is a Russian state-sponsored threat actor group that is attributed to the Russian Main Directorate/Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165. The group has been operational since at least 2004 and conducts espionage operations against targeted entities for the purposes of intelligence gathering and hack and leak/Information Operations (IO).

Forrest Blizzard frequently targets entities in the North Atlantic Treaty Organisation (NATO) and NATO-partner organisations and institutions, likely because of the military alliance’s interests and activities at Russia’s western border. Forrest Blizzard also supports Russian military intelligence goals and has also targeted organisations in the aerospace and defence, government, hospitality, international sports bodies, and media sectors.​

The new tool has enabled GRU hackers to gain elevated access, steal credentials, and facilitate lateral movement within compromised networks. This sophisticated tool, dubbed GooseEgg, exploits the CVE-2022-38028 vulnerability in the Windows Print Spooler service, responsible for managing printing processes.

According to Microsoft, the Forest Blizzard group, also known as Fancy Bear and APT28, deployed GooseEgg at least since June 2020. The group targets governmental, non-governmental, educational, and transportation organizations across Ukraine, Western Europe, and North America.

The use of GooseEgg in Forest Blizzard operations is a unique discovery previously unreported by security service providers.

Forest Blizzard primarily targets governmental, energy, transportation, and non-governmental organizations in the US, Europe, and the Middle East. However, Microsoft has noted that GRU hackers have shifted their focus to media, information technology, sports organizations, and educational institutions worldwide.

“Forest Blizzard continually refines its footprint by employing new custom techniques and malware, suggesting that it is a well-resourced and well-trained group posing long-term challenges to attribution and tracking its activities,” Microsoft said.