Multi-national warning issued over Russia’s targeting of logistics, tech firms

A joint advisory from intelligence and cybersecurity agencies in the United States, United Kingdom, Canada, Australia and multiple European countries has detailed an ongoing Russian state-sponsored campaign targeting Western logistics organizations and technology companies, especially those supporting aid to Ukraine. The campaign, orchestrated by the group known as APT28 or Fancy Bear, has relied heavily on established techniques to breach organizations and extract sensitive data.

The campaign traces back at least to early 2022, coinciding with the start of Russia’s full-scale invasion of Ukraine. The group, which is tied to Russia’s Main Intelligence Directorate (GRU),  has focused on logistics organizations and IT firms involved in coordinating, transporting, and delivering foreign assistance to Ukraine. 

Entities across nearly all modes of transportation — including air, rail, and sea — as well as government, defense, and IT service sectors have been singled out. Targets are widespread, spanning the United States, Ukraine, several NATO member states, and bordering countries such as Bulgaria, France, Germany, Poland, Romania, and Slovakia.

Those running the campaign have deployed a mixture of previously observed tactics, techniques, and procedures. These have included:

• Credential guessing and brute-force attacks supported by anonymization networks such as Tor and commercial VPNs.
• Spearphishing attempts aimed at harvesting credentials or delivering malware, with lures typically dressed as official or professional documents and customized to recipients’ languages.
• Exploitation of known software vulnerabilities, including the Outlook NTLM flaw (CVE-2023-23397), multiple Roundcube webmail vulnerabilities, and a widely publicized WinRAR bug (CVE-2023-38831).
•  Abuse and compromise of internet-facing infrastructure, such as corporate VPNs and small office/home office (SOHO) devices, to mask malicious activity and proximate operations closer to intended victims.
• Efforts aimed at industrial control system manufacturers, particularly in railway management, though the extent of success in these cases remains unconfirmed.

Once inside a network, actors conduct reconnaissance to identify further targets and sensitive personnel, leveraging tools like Impacket and PsExec for lateral movement. They have been observed deploying malware variants — most notably HeadLace and Masepie — and using techniques such as scheduled tasks, registry modifications, and malicious shortcuts to stay inside a network.

The campaign incorporates multi-stage phishing infrastructure, with redirectors screening connection attempts by location or browser details, adding another layer of security that makes their campaigns harder to detect. 

Beyond traditional IT environments, the campaign has expanded to include widespread targeting of IP cameras, especially those at border crossings and transport hubs. Using both default and brute-forced credentials, the group has obtained access to the video feeds and metadata of thousands of cameras, the majority located in Ukraine and neighboring states. The intent appears to be to physically track aid deliveries and transport activity.

The campaign showcases the group’s continued reliance on public vulnerabilities and “living-off-the-land” (LOTL) approaches. The advisory notes that tools and utilities commonly used for system administration, such as ntdsutil, wevtutil, and PowerShell, are regularly repurposed by attackers. As a result, organizations are cautioned to develop nuanced detection strategies to avoid false positives.

The advisory, issued by 25 intelligence, military, and cybersecurity agencies, reflects an unprecedented level of international collaboration and information sharing on Russian state cyber operations. While the technical means and targets have become more complex and widespread, the campaign’s objectives remain overtly aligned with Russia’s military and strategic interests concerning Ukraine and the wider region.

Private companies have also been observing Russian actions taken in relation to its war with Ukraine. The GRU has also been targeting email accounts of top Ukrainian officials and executives at foreign defense contractors supplying weapons to Ukraine, according to ESET research. Since at least 2023, the group has used spearphishing and exploited cross-site scripting vulnerabilities in webmail platforms like Roundcube, Horde, MDaemon, and Zimbra.

“Russian military intelligence has an obvious need to track the flow of material into Ukraine, and anyone involved in that process should consider themselves targeted,” said John Hultquist, chief analyst, Google Threat Intelligence Group. “Beyond the interest in identifying support to the battlefield, there is an interest in disrupting that support through either physical or cyber means. These incidents could be precursors to other serious actions.”

You can read the full advisory here.