US, allies warn Russian cyber group targeting Western IT, defense firms to hamper aid to Ukraine
An advisory said the campaign is “likely connected” to the compromise of surveillance cameras in Ukraine and neighboring countries, which are used to watch the movement of equipment.
Microsoft blames Russian hackers for new IT supply chain attack. (Graphic by Breaking Defense, original images via Pexels)
WASHINGTON — Russian military hackers are carrying out a cyber campaign targeting Western information technology, defense and transportation companies in an effort to slow the flow of foreign assistance to Ukraine, according to a joint cybersecurity advisory.
The Tuesday advisory, authored by a slew of foreign and US cyber and military intelligence agencies including US Cyber Command, the National Security Agency and DoD Cyber Crimes Center, accuses the 85th Main Special Service Center’s military unit 26165 inside the Russian General Staff Main Intelligence Directorate, or GRU, of using “a mix of known tactics, techniques, and procedures” to target companies located in the US, NATO nations and other allied countries.
Unit 26165, which is also known as Advanced Persistent Threat (APT) 28, Fancy Bear, Blue Delta or Forest Blizzard, has been conducting the campaign since shortly after Russia invaded Ukraine over three years ago.
“In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence — with unit 26165 predominately involved in espionage,” the report read. “As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid.”
The advisory did not name the companies targeted, and neither the Pentagon nor the NSA responded to a request for comment by the time of publication.
The warning follows a similar one from September, in which US and partner security organizations said another Russian hacking unit, GRU unit 29155, was also attempting to disrupt aid to Ukraine.
The new warning said hackers infiltrated the systems of several companies and entities through a variety of means, including but not limited to: credential guessing, phishing emails with links leading to fake login pages, phishing links that delivered malware, and weaponizing a Microsoft Outlook NTLM vulnerability.
After actors compromised the network, they were able to move around the network largely undetected and access sensitive information on shipments to Ukraine such as information on the sender, recipients, ship/train/plane numbers, points of departure and arrival, cargo contents, travel routes and more.
The current campaign being carried out by unit 26165 is “likely connected” to the group’s wide-scale targeting of internet protocol (IP) cameras in Ukraine and bordering NATO nations where it successfully hacked into the cameras to monitor and track aid shipments, the report said.
“Unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams,” the report read.
To protect the sensitive information within logistics entities and tech companies, the advisory advised executives and experts to “recognize the elevated threat” of the threat actor, increase monitoring and threat hunting practices and “posture network defenses with a presumption of targeting.”
