Cyber Incident Victim: European diplomatic entity
Date:
Jan 2022
Location:
—
Summary
APT29, a Russia-linked threat group, compromised a European diplomatic entity through a phishing campaign that exploited Windows Credential Roaming functionality within Active Directory. The attackers manipulated LDAP queries to target the msPKI-CredentialRoamingTokens attribute, leveraging an Arbitrary File Write vulnerability (CVE-2022-30170) to inject directory traversal sequences and achieve remote code execution under the victim's privileges. This technique enabled credential harvesting and privilege escalation by abusing stored authentication tokens, particularly in environments where Credential Roaming was historically enabled or improperly maintained. The group, previously associated with high-profile operations including the Democratic National Committee breach, demonstrated advanced tradecraft by weaponizing a legacy feature for lateral movement and persistence within the targeted network.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early 2022, Mandiant researchers investigated a cyberattack against a European diplomatic entity perpetrated by the Russia-linked APT29 group. The intrusion began with a successful phishing operation, after which attackers exploited Windows Credential Roaming—a feature introduced in Windows Server 2003 SP1 and still supported through Windows 11 and Server 2022—to roam certificates and credentials within domains. During forensic analysis, Mandiant observed anomalous LDAP queries targeting Active Directory systems, including requests for the msPKI-CredentialRoamingTokens attribute ({b7ff5a38-0818-42b0-8110-d3d154c97f24}), which stores encrypted user credential token BLOBs. Further investigation revealed attackers leveraged an Arbitrary File Write vulnerability (CVE-2022-30170) by manipulating the msPKIAccountCredentials attribute with directory traversal characters in identifier strings. This technique allowed writing arbitrary bytes to any file on the system under the victim account’s context, enabling remote code execution as the logged-in user. The attackers’ LDAP queries included standard credential-hunting attributes like unixUserPassword alongside the unusual Credential Roaming parameter. Mandiant documented that the 92-byte buffer limitation accommodated full filenames with traversal characters. The group, previously implicated in the Democratic National Committee hack and 2016 US election interference campaigns, used this method to harvest roaming credentials for privilege escalation.
The incident demonstrated APT29’s ability to weaponize legacy AD features, with impacts including credential compromise and potential lateral movement. Attack scenarios enabling exploitation included unpatched Credential Roaming systems, compromised Domain Administrator privileges, access to victim cleartext passwords, or unauthorized access to the msPKIDPAPIMasterKeys attribute. Mandiant reported the vulnerability to Microsoft Security Response Center (MSRC) in April 2022, leading to a patch released on September 13, 2022. The investigation highlighted risks for organizations that had ever implemented Credential Roaming without following Microsoft’s cleanup procedures. Forensic evidence showed attackers specifically targeted cryptographic material and authentication tokens stored via this feature. Mandiant’s analysis did not disclose the diplomatic entity’s operational disruptions but confirmed the attackers achieved initial access through credential theft via phishing. The technical findings emphasized the necessity of patching CVE-2022-30170 on all systems where Credential Roaming was enabled and auditing historical usage of the feature to ensure proper decommissioning.