A joint cybersecurity advisory from 15 Western intelligence agencies has revealed an ongoing Russian state-sponsored cyber campaign targeting logistics entities and technology companies across NATO member states, Ukraine, and international organisations.
The intelligence agencies include the Australian Signals Directorate's Australian Cyber Security Centre (ASD/ACSC), and its counterparts in the United States, Canada, UK and EU.
They have attributed the campaign to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Centre, military unit 26165.
Information security researchers have named the Russian unit as Advanced Persistent Threat (APT) 28, Fancy Bear, or Forest Blizzard; it has specifically focused on organisations involved in coordinating, transporting, and delivering foreign assistance to Ukraine since 2022.
The advisory warns that the threat actors have targeted dozens of unnamed entities across virtually all transportation modes including air, sea, and rail operations.
A diverse arsenal of attack techniques is employed by the GRU unit, including credential guessing operations, spearphishing campaigns, and exploitation of multiple software vulnerabilities.
The actors have weaponised an Outlook NTLM vulnerability (CVE-2023-23397) to collect credentials via specially crafted calendar invitations, and exploited Roundcube email server vulnerabilities to execute arbitrary shell commands.
Since autumn 2023, the group has leveraged a WinRAR vulnerability (CVE-2023-38831) to execute malicious code embedded in archive files, whilst also compromising small office/home office devices to facilitate covert operations.
Internet protocol cameras compromised for spying
Extending beyond traditional network intrusion, intelligence agencies reported that unit 26165 has targeted Real Time Streaming Protocol servers hosting IP cameras primarily located in Ukraine as early as March 2022 as part of the campaign.
The actors attempted to monitor the movement of materials into Ukraine through border crossings and rail stations using these compromised camera feeds.
From a sample of over 10,000 cameras targeted, 81 per cent were located in Ukraine, with additional targets in Romania (9.9 per cent), Poland (4 per cent), Hungary (2.8 per cent), and Slovakia (1.7 per cent).
Once inside target networks, the actors conduct extensive reconnaissance to identify additional targets, particularly focusing on cybersecurity departments and individuals responsible for coordinating transport.
They deploy various malware variants including HEADLACE and MASEPIE, whilst using legitimate tools like Impacket and PsExec for lateral movement.
The threat actors have demonstrated particular interest in accessing accounts containing sensitive information about aid shipments to Ukraine, including sender and recipient details, transport numbers, departure points, destinations, container registration numbers, travel routes, and cargo contents.
In several cases, the actors established sustained email collection by manipulating Microsoft Exchange mailbox permissions and enrolling compromised accounts in multi-factor authentication mechanisms to increase their trust level and maintain persistent access.
The campaign has affected 13 countries including Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States.
Targeted sectors include defence industry, transportation hubs (ports and airports), maritime operations, air traffic management, and IT services.
Implement Zero Trust, intelligence agencies recommend
The advisory recommends organisations implement Zero Trust principles, employ appropriate network segmentation, and utilise endpoint detection and response solutions prioritising high-value systems.
Specific measures include blocking NTLM/SMB communications protocol requests to external infrastructure, implementing multi-factor authentication with strong factors, and enabling attack surface reduction rules in Windows environments.
For IP camera security, agencies recommend applying firmware updates, disabling remote access where unnecessary, using VPNs for remote connections, and implementing authentication controls.
The advisory notes that GRU unit 26165 almost certainly uses extensive additional infrastructure and tactics not specifically detailed in the report, with the expectation that similar targeting and techniques will continue as the conflict in Ukraine persists.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
