A Russian cyber espionage campaign has been attributed to state-sponsored threat actors, with the group APT28 (also known as Fancy Bear, BlueDelta, or Forest Blizzard) believed to be behind the attacks. The campaign, which has been active since 2022, targets Western logistics companies and technology firms, with a particular focus on organizations involved in delivering aid to Ukraine. This has been revealed in a joint advisory issued by cybersecurity agencies from the U.S., U.K., Australia, and several European nations.
APT28 is linked to Russia’s military intelligence agency, the GRU, specifically the 85th Main Special Service Center (Military Unit 26165). The group is known for its sophisticated cyber tactics and has been targeting organizations that play a critical role in providing logistical support for Ukraine.
Focus on Logistics and Technology Sectors
According to the advisory, APT28’s cyber espionage efforts use a variety of techniques to infiltrate organizations. These include password spraying, spear-phishing, and exploiting vulnerabilities in Microsoft Exchange and webmail services like Roundcube, Horde, and Zimbra. The campaign’s primary objective is to gather intelligence, particularly from NATO member states, Ukraine, and countries involved in supporting Ukraine’s defense efforts.
The malicious activity has been widespread, with dozens of organizations from Bulgaria, France, Germany, Greece, Italy, Poland, Romania, Slovakia, and others targeted. Many of these organizations operate in defense, transportation, maritime, and IT sectors. The campaign also seeks to monitor and track aid shipments to Ukraine, which are delivered by logistics entities.
Espionage Techniques and Methods of Attack
APT28’s methods of gaining access to targeted networks include several tactics. These range from brute-force attacks to guessing credentials, to spear-phishing attempts that trick users into revealing their credentials through fake login pages. The attackers also exploit vulnerabilities in Outlook (CVE-2023-23397) and Roundcube (CVE-2020-12641, CVE-2020-35730), and leverage vulnerabilities in corporate VPNs and SQL injection techniques.
Once access is gained, the attackers move to the post-exploitation phase. This involves identifying additional targets within organizations, including individuals responsible for coordinating aid deliveries, and then exfiltrating sensitive data from the compromised networks. Tools like PsExec, Remote Desktop Protocol (RDP), and Impacket are used for lateral movement within the network, while Active Directory information is harvested using tools like Certipy and ADExplorer.exe.
Malware and Data Exfiltration
APT28 has also been observed using malware families such as HeadLace and MASEPIE to maintain persistence on compromised systems and gather sensitive information. However, there is no indication that other malware variants like OCEANMAP and STEELHOOK were used to specifically target logistics or IT sectors.
During the data exfiltration phase, the threat actors employ a variety of methods to siphon data from email servers, including using PowerShell to create ZIP archives or employing Exchange Web Services (EWS) and IMAP to extract emails. The stolen data is then uploaded to the attackers’ infrastructure for further exploitation.
Growing Threat to Aid Delivery Operations
The joint advisory warns that these cyber attacks pose a serious risk to organizations involved in the delivery of assistance to Ukraine, highlighting the critical importance of cybersecurity for logistics and technology companies. The actors have not only targeted companies but also internet-connected cameras at Ukrainian border crossings to track the movement of aid shipments.
“The malicious campaign by Russia’s military intelligence service presents a significant threat to the targeted organizations, including those supporting Ukraine’s defense efforts,” said Paul Chichester, Director of Operations at the U.K.’s National Cyber Security Centre (NCSC). “The U.K. and our partners are committed to raising awareness and sharing knowledge on these tactics.”
