**Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks**
**February 2023**
A sophisticated hacking group linked to Russia, Fancy Bear (APT28), has been exploiting a recently disclosed vulnerability in Microsoft Office to conduct cyber-attacks against Ukrainian and European Union organizations. The warning was published on February 2 by the Computer Emergency Response Team of Ukraine (CERT-UA), the country's national cyber threat intelligence unit.
**The Malicious File: 'Consultation_Topics_Ukraine(Final).doc'**
On January 29, CERT-UA reported finding a Word DOC file named 'Consultation_Topics_Ukraine(Final).doc', which contained an exploit for CVE-2026-21509. This high-severity vulnerability (with a CVSS 3.1 score of 7.8) affects several versions of Microsoft Office, including:
* Microsoft Office 2016 * Microsoft Office 2019 * LTSC 2021 * LTSC 2024 * Microsoft 365 Apps for Enterprise
The flaw, disclosed by Microsoft on January 26, is an over-reliance on untrusted inputs in a security decision in Microsoft Office. When exploited, it enables an attacker to bypass object linking and embedding (OLE) mitigations in Microsoft 365 and Microsoft Office, protecting users from vulnerable component object model (COM) and OLE controls.
**Microsoft's Response**
Microsoft confirmed in its security advisory that it had detected evidence of exploitation in the wild. The tech firm urged customers running Microsoft Office 2016 and 2019 to ensure the update is installed to be protected. Customers running Office 2021 and later will be automatically protected via a service-side change but will be required to restart their Office applications for this to take effect.
**The Expected Rise in Cyber-Attacks**
Given the likely delay (or inability) of users to update Microsoft Office or apply recommended security measures, the number of cyber-attacks exploiting this vulnerability is expected to increase. The CERT-UA report noted that "the exploitation of this vulnerability can lead to significant consequences, including unauthorized access to sensitive information and disruption of critical systems."
**Fancy Bear's Tactics**
The .doc file identified by CERT-UA was related to consultations of the Committee of Permanent Representatives (COREPER) of the EU regarding the situation in Ukraine. Metadata indicated that the file was created in the morning of January 27, the day after Microsoft's vulnerability disclosure.
On the same day, CERT-UA said it received reports from partners about emails purportedly coming from the Ukrainian Hydrometeorological Center (UkrHMC), containing another file attachment named 'BULLETEN_H.doc'. The email was sent to over 60 addresses, primarily belonging to central executive authorities of Ukraine.
Further CERT-UA analysis revealed that opening the document using Microsoft Office triggered a network connection to an external resource via the WebDAV protocol, followed by the download of a file disguised as a shortcut (LNK) containing malicious code designed to download and execute a payload. Successful execution resulted in the following actions:
1. Execution of these tasks results in the termination and restart of the explorer.exe process 2. Loading of the 'EhStoreShell.dll' file through component object model (COM) hijacking 3. Execution of the shellcode from the image file, ultimately launching the Covenant framework on the compromised system
Covenant is a .NET-based command and control (C2) framework designed for offensive cybersecurity and red teaming exercises.
**Prevention Measures**
CERT-UA also highlighted that, since Covenant relies on the legitimate cloud storage service Filen for C2 infrastructure, organizations who believe they could be targeted by Fancy Bear in this way should block or at least closely monitor network interactions with nodes of this cloud storage service.
In late January 2026, three additional documents with the same exploit were identified, targeting organizations in EU countries. CERT-UA urged implementing the mitigation measures outlined in Microsoft's advisory, particularly regarding Windows registry configurations.