Russia wages silent cyberwar on Western supply chains

Imagine someone sneaking into your house, not through the front door, but through your email, your Wi-Fi or even your smart doorbell camera. That’s exactly the warning in a new cybersecurity report from U.S. and international intelligence agencies: Russian military hackers have been trying to break into the digital infrastructure of Western logistics and tech companies, particularly those helping Ukraine.

The attackers are part of Russia’s military intelligence agency, known as the Glavnoye Razvedyvatelnoye Upravlenie (GRU), and specifically a cyberunit called the 85th Main Special Service Center, also referred to as Unit 26165. In the cybersecurity world, this group is more infamously known as “Fancy Bear,” “APT28,” “Forest Blizzard” or “BlueDelta.” It represents years of tracking by threat researchers across the globe who’ve linked the group to some of the highest-profile cyberespionage campaigns in recent memory.

RELATED: Cyberthreats surge against US logistics infrastructure

What makes this group especially dangerous is its mission and method. Unlike common cybercriminals who are after credit card numbers or quick financial gain, GRU Unit 26165’s goal is state-level espionage: to infiltrate, observe and manipulate critical digital systems that power economies and militaries. Think ports, air traffic systems, IT companies that manage cargo routing software and even the infrastructure behind customs clearance. These aren’t just business targets, they’re strategic assets in times of war.

Why target logistics?

Since Russia’s invasion of Ukraine in 2022, this cyberunit has gone into overdrive. As Western countries began ramping up military and humanitarian aid to Ukraine, the GRU focused its efforts on the logistics and tech companies that support those flows. It didn’t just try to hack the governments sending the aid — it went after the entire digital infrastructure involved in getting it there.

That meant targeting trucking companies coordinating military cargo. It meant breaching email systems at port authorities and tracking aircraft manifests at airports. It meant going after companies that manage GPS routing, warehouse inventories and customs data.

And, perhaps most disturbingly, it meant hijacking internet-connected security cameras. These weren’t just casual attempts to spy. The GRU was actively compromising Real Time Streaming Protocol (RTSP) camera feeds at border crossings, railway stations and key road junctions across Ukraine and neighboring NATO countries. From there, it could watch real-time footage of trucks, trains or convoys delivering aid and supplies. 

The goal? Build a live picture of how support for Ukraine was physically moving through Europe and find ways to delay, reroute or sabotage it.

How do the hackers break in?

According to the report on GRU tactics, one of the group’s go-to methods is phishing, sending fake but convincing emails that lure people into clicking malicious links or entering passwords on forged login pages. These messages often look like they’re from trusted sources, government agencies or well-known tech providers, and are often written in the target’s native language. In many cases, the attackers use compromised small office or home office routers to host these fake pages, making them harder to trace.

Once the hackers get a foot in the door, the GRU uses malware, custom-built programs designed to spy, steal or quietly hijack systems. In this campaign, it deployed malware strains called HEADLACE and MASEPIE, which allowed GRU to collect passwords, intercept emails and maintain access over time.

The group also exploited known software vulnerabilities, including critical flaws in Microsoft Outlook and other email platforms, which let it harvest login credentials through rogue calendar invites and in the popular file compression tool WinRAR. Each of these bugs opened a backdoor that allowed attackers to slip past defenses without setting off alarms.

RELATED: Freight fraud: How criminals found a way in

Once inside a network, GRU operatives moved methodically. They searched email inboxes for logistics details like shipping manifests, sender and recipient data, tracking numbers, transport routes, and cargo descriptions. 

They didn’t just grab the data and leave. Instead, they set up camp, adjusting email permissions, enrolling compromised accounts in multifactor authentication (MFA) to deepen trust  and quietly collecting sensitive information for weeks or even months. Their aim wasn’t just access, it was prolonged invisibility. The GRU studied the tempo of global trade, mapping every point where aid or military equipment might flow.

The report doesn’t list all the victims, but it makes clear the U.S. wasn’t spared. The attackers targeted logistics and technology companies across at least 13 countries, including the U.S., Germany, France, Poland and Ukraine.

The fragility of global supply chain security

At the heart of it all is a simple truth: Cyberhygiene matters, and it starts with access.

The report advises organizations to treat passwords like keys to the castle. That means ditching weak or reused credentials, banning the use of default logins and embracing MFA wherever possible, especially hardware-based MFA like smartcards or security tokens that are much harder to steal or spoof than SMS codes or app-based prompts.

Even better, companies should begin moving away from passwords altogether, turning to more modern approaches, like single sign-on systems or certificate-based authentication, that reduce the chances of stolen credentials being used at all.

“Think about how many sticky notes are on desks or passwords that are shared through a quick [direct message]. It’s 2025. It takes one second of compromise for every credential you ever sent to be a new attack vector that gets used against your customers and coworkers,” Garrett Allen, FreightTech expert and co-founder of LoadPartner, told FreightWaves.

Beyond access, the report emphasizes the importance of watching every corner of your digital environment. This isn’t just about having antivirus software, it’s about adopting a mindset of continuous surveillance. Network defenders should be logging who accesses what, flagging unusual login times or geographic anomalies, and tracking data movement across the system. 

The report suggests using automated tools that can help spot and shut down attackers before they move laterally or exfiltrate sensitive files.

Then comes one of the most overlooked but essential defenses: updating software. Many of the techniques used by GRU hackers relied on known vulnerabilities, some of which had patches available for months or even years. This includes high-profile flaws in Microsoft Outlook, Roundcube and WinRAR, all of which were exploited to quietly gain entry. Organizations need a structured, enforced update policy that prioritizes high-risk systems and doesn’t rely on manual updates or once-a-quarter maintenance windows.

But the report goes further, urging companies to rethink their digital architecture entirely. It recommends segmenting networks so that if one part is breached, the attackers can’t move freely throughout the system. Access should be granted based on role and necessity — email admins shouldn’t have domainwide privileges, and vendor accounts should be tightly controlled and monitored.

Organizations are also urged to filter traffic aggressively. That means using firewalls to block access to known malicious domains, disabling unnecessary remote services and watching for logins from public VPNs.

Finally, businesses need to recognize that their supply chain partners could be their weakest link. Vendors, contractors and connected third parties must be held to the same cybersecurity standards, and their access to internal systems should be scrutinized. . 

“This makes me think about some of the legacy-to-modern bridges we have, like ELD aggregators holding credentials for thousands of carriers. What happens when one of those gets compromised?” said Allen.

Trust, in the digital realm, must be earned continuously. As the report makes painfully clear, sometimes the greatest danger isn’t the hackers you know. It’s the silent, overlooked connection that lets them walk right in.

Freight fraud: Your supply chain is showing

US moves to stop China parcel shipments bearing counterfeit postal labels

Avocados, auto parts and ambushes: Inside Mexico’s cargo theft crisis

The post Russia wages silent cyberwar on Western supply chains appeared first on FreightWaves.