A newly released joint advisory has exposed a long-running espionage campaign by Russia’s GRU targeting Western logistics companies and technology firms critical to aid delivery in Ukraine.
The effort, attributed to GRU Unit 26165, widely tracked as APT28 or the name Fancy Bear, has exploited corporate infrastructure using credential attacks, spear phishing, and malware to gain access to sensitive shipment data.
The advisory, co-authored by over 20 cybersecurity and intelligence agencies across NATO and partner nations, including the NSA, FBI, UK’s NCSC, Germany’s BSI, and Poland’s SKW, details a persistent campaign by the GRU’s 85th Main Special Service Center since 2022. The primary objective of the campaign is cyber-espionage: stealing data on military aid shipments and monitoring supply routes to Ukraine.
The campaign targets entities across air, rail, and maritime transportation networks, as well as IT service providers and defense contractors in countries such as the U.S., Germany, France, Poland, Ukraine, and the Czech Republic. Notably, the threat actors exploited trust relationships within the supply chain — moving laterally between affiliated organizations — to deepen access and maintain long-term surveillance.
CISA
GRU hackers targeting n-day flaws
The GRU's tactics rely on well-documented vulnerabilities and social engineering. Initial access methods include credential brute-forcing, spear phishing using fake login portals hosted on compromised infrastructure, and exploitation of Microsoft Exchange mailbox permissions. Targeted vulnerabilities include CVE-2023-23397 in Outlook, multiple flaws in Roundcube Webmail, and the WinRAR archive code execution vulnerability CVE-2023-38831.
Once inside a network, the threat actors employ tools like Impacket, PsExec, and Remote Desktop Protocol to traverse systems, dump Active Directory databases, and extract credentials using scripts such as Get-GPPPassword.py. They also utilize malware such as HEADLACE and MASEPIE to establish persistence and exfiltrate sensitive information. These tools can capture shipment manifests, container numbers, travel routes, and the contents of military aid cargo.
IP cameras on Russian crosshairs
One significant technical component of the campaign involved exploiting Real Time Streaming Protocol (RTSP) servers to access internet-connected cameras, often relying on default or brute-forced credentials. Data from over 10,000 cameras revealed a heavy focus on Ukrainian infrastructure, with 81% of targeting attempts localized to Ukraine and 15% affecting border states such as Romania and Poland.
The campaign’s stealth was enhanced by the use of encrypted TLS connections, anonymization networks like Tor, and geographically proximate proxy infrastructure to disguise lateral movement and data exfiltration. Exfiltrated email data was typically pulled using Exchange Web Services and IMAP, with sustained collection achieved via mailbox permission abuse and scheduled tasks.
To mitigate the threat, the advisory urges organizations — especially those in logistics and IT sectors supporting Ukraine — to assume they are likely targets. Recommended defenses include:
- Enabling multi-factor authentication with strong factors (e.g., hardware tokens, passkeys)
- Blocking NTLM/SMB requests to external infrastructure
- Applying security patches to exposed services like Outlook, VPNs, and SOHO routers
- Using EDR tools on critical systems such as mail servers and domain controllers
- Implementing strict network segmentation and outbound filtering
- Auditing for use of known malicious tools such as Certipy, ADExplorer, and HEADLACE
Organizations managing IP cameras are specifically advised to disable remote access when not essential, apply firmware updates, disable unused services (e.g., UPnP), and enforce authenticated RTSP access.
Leave a Reply