Earlier this year, Microsoft revealed that a group of hackers considered state-sponsored by Russia had gained access to the email accounts of some of the company’s top executives. Today, Microsoft says another Russian hacking organization has been discovered using an old exploit in a Windows tool to access networks around the world and steal information.

in a post on Microsoft Security websiteThe company said the group in question has been designated as Forest Blizzard and has been active since at least 2010, going after networks, both government and non-government, in the US, Europe and the Middle East.

The new effort revealed by Forest Blizzard has the team looking into an issue that was part of the Windows Print Spooler service. The official designation for this vulnerability is CVE-2022-38028. Microsoft says Forest Blizzard used this issue, when it was found on the networks it targeted, to deploy a malware program called GooseEgg.

Microsoft says:

While a simple launcher application, GooseEgg is capable of spawning other command-line applications with elevated privileges, allowing threat actors to support any continuation goals such as remote code execution, backdoor installation, and lateral traversal through compromised networks.

Forest Blizzard used GooseEgg to access and take data from networks in North America, Ukraine and Western Europe. This activity has been going on for four years. The blog says that the disclosure of the use of this tool by Forest Blizzard “is a unique discovery not previously reported by security vendors.” No word on the blog about how successful the group has been with using GooseEgg in breaching networks and stealing data.

Microsoft fixed the problem in the Windows Print Spooler service in October 2022. Obviously, the company recommends that companies that use the service but we have not yet updated it to do so. Microsoft also suggests disabling the service on domain controllers and using Microsoft Defender Antivirus to detect if the GooseEgg tool is on their network.