In a recent reminder of the risks posed by security vulnerabilities in widely-used software, Microsoft discovered a critical vulnerability in Microsoft Office (CVE-2026-21509) in late January 2026. Despite the urgent patch being released on January 26, cybercriminals, notably the APT28 group linked to Russian intelligence, exploited the flaw to target Ukraine and the European Union.
Details of the Cyberattacks
The attacks involved sending malicious documents via email that contained exploit code targeting the vulnerability as soon as the file was opened in Microsoft Office. These documents had fake names such as Consultation_Topics_Ukraine(Final).doc and BULLETEN_H.doc, claiming to contain official information. Once opened, the file established a connection to an external source via WebDAV, which allowed a malicious payload to be downloaded, granting remote access to the infected machine.
The goal of these attacks was to deploy COVENANT, an exploitation framework used by hackers to take control of compromised devices, enabling espionage and the exfiltration of sensitive data.
The Group Behind the Attacks: APT28
APT28, also known as Fancy Bear, is a group of hackers directly linked to the Russian military intelligence. This group has been responsible for numerous large-scale attacks on governments and international organizations, particularly targeting Ukrainian institutions and organizations within the European Union.
How to Protect Yourself from These Attacks
- Security Updates: It is strongly recommended to immediately update Microsoft Office to the latest version, as it includes the security patch released by Microsoft on January 26. Users of Office 2021 and later should restart their applications for the update to take effect.
- Older Versions: For users of Office 2016 or 2019, patches should be installed via Windows Update or Microsoft Update Catalog.
- Preventive Measures: If immediate updating is not possible, preventive measures can be implemented by modifying the Windows Registry, as suggested by Microsoft.
Additional Recommendations
- Network Monitoring: It is essential to monitor connections to cloud storage services like Filan, which attackers use for command and control communications to bypass detection mechanisms.
- Security Awareness: Organizations should educate their employees about the dangers of opening suspicious documents, especially from unknown senders or untrusted sources.
Conclusion
With the growing number of cyberattacks targeting government and business systems, it is crucial to regularly apply security patches. Promptly implementing updates is one of the best ways to protect personal and organizational data from exploitation.