APT28's Intensified Cyberespionage Campaign Targets Western Logistics and Technology Firms
TL;DR
The Russia-linked cyberespionage group APT28 has stepped up its operations against Western logistics and technology firms that support Ukraine. This campaign poses a significant threat to supply chains, employing a mix of tactics like brute-force attacks, spear-phishing, and exploiting known vulnerabilities, according to US CISA warnings.
Main Content
CISA Warns of APT28 Targeting Western Logistics and Tech Firms Aiding Ukraine
The Russia-linked cyberespionage group APT28 has intensified its operations against Western logistics and technology companies involved in supplying aid to Ukraine, according to a warning from US CISA.
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including notable attacks during the 2016 Presidential election[^1].
Operating out of military unit 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), APT28 has been linked to a series of cyberespionage activities targeting Western logistics entities and technology companies involved in coordinating, transporting, and delivering foreign assistance to Ukraine[^2].
"This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue," reads the joint alert[^3].
Russian GRU Unit 26165 has targeted dozens of Western logistics and tech firms tied to Ukraine aid, including defense, maritime, air, and rail sectors across NATO nations and Ukraine. They exploited business ties to expand access, even probing ICS makers for railway systems. Targets span 13 countries, including the U.S., Germany, and France.
APT28 employed various methods for initial access, including:
- Brute-force attacks
- Spear-phishing
- Exploiting known vulnerabilities in Outlook, Roundcube, WinRAR, VPNs, and SOHO devices
Additionally, they used compromised nearby devices to proxy attacks and evade detection.
GRU Unit 26165 employed spear-phishing tactics with fake login pages hosted on compromised devices or free services. Attackers sent emails mimicking government and cloud providers, often in the target language, using legitimate documents as lures. Some campaigns bypassed MFA and used IP checks, redirectors, and delivered malware.
The group exploited vulnerabilities such as:
- CVE-2023-23397 in Outlook to steal NTLM hashes via fake calendar invites
- Roundcube CVEs to access emails and run commands
- CVE-2023-38831 in WinRAR to execute code via malicious archives sent through emails or embedded links
After gaining initial access, APT28 conducted reconnaissance on key personnel, cybersecurity teams, and partners. The group used tools like Impacket, PsExec, RDP, and Certipy for lateral movement and Active Directory data exfiltration. They harvested credentials, manipulated mailbox permissions, and accessed sensitive shipment data. Threat actors also used voice phishing to target privileged accounts.
The Russia-linked group deployed malicious code for access, persistence, and data theft, using custom malware like HEADLACE and MASEPIE. They maintained access through DLL hijacking, scheduled tasks, run keys, and malicious shortcuts. Experts warned that attackers could use other malware like OCEANMAP and STEELHOOK in future operations against logistics and IT sectors.
The threat actors exfiltrated data using PowerShell, APIs (EWS/IMAP), and periodic queries, leveraging local infrastructure to evade detection. Attackers also targeted IP cameras near Ukrainian borders and military sites via RTSP, using default or brute-forced credentials to access live feeds. This campaign helped monitor aid and material movement into Ukraine.
The alert includes general and detailed security mitigations.
Follow me on Twitter and Facebook and Mastodon
SecurityAffairs – hacking, Russia
For more details, visit the full article: source
Conclusion
The intensified cyberespionage campaign by APT28 against Western logistics and technology firms underscores the ongoing threat to supply chains supporting Ukraine. As the conflict continues, it is crucial for organizations to remain vigilant and implement robust security measures to protect against such advanced persistent threats.
Additional Resources
For further insights, check: