Dozens of Western logistics and tech firms delivering aid to Ukraine have been targeted by a Russian state-backed cyber-espionage campaign over the past two years, allied security agencies have warned.
The unnamed companies operate across the defense, IT services, maritime, airports, ports and air traffic management systems sectors in the US and European countries.
The Russian hacking group in question, APT28 (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, Iron Twilight) hails from the GRU’s military unit 26165 and is well known for its cyber-espionage activities.
“The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed,” noted a joint cybersecurity advisor from the NSA and allies including the National Cyber Security Centre (NCSC).
Read more on APT28: Russia-Backed APT28 Tried to Attack a Ukrainian Critical Power Facility
Among the known tactics, techniques, and procedures (TTPs) used by the group in these attacks are:
- Credential guessing/brute force
- Spear phishing for credentials
- Spear phishing delivering malware
- Outlook NTLM vulnerability (CVE-2023-23397)
- Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
- Exploitation of internet-facing infrastructure, including corporate VPNs, via public vulnerabilities and SQL injection
- Exploitation of WinRAR vulnerability (CVE-2023-38831)
“Executives and network defenders at technology and logistics companies should recognize the elevated threat of targeting and take immediate action to protect themselves,” said the UK’s NCSC.
“Actions include increasing monitoring, using multi-factor authentication with strong factors – such as passkeys – and ensuring security updates are applied promptly to manage vulnerabilities.”
Cato Network chief security strategist, Etay Maor, said at-risk organizations should migrate away from traditional perimeter-based security and adopt a zero trust approach.
“Think of your network like a castle. In the past, we focused on protecting the outer walls. But hackers are finding ways inside,” he added. “This campaign shows we need to build smaller, internal walls within the castle, so if one area is breached, the damage is contained. We also need to verify everyone's identity before they can access sensitive areas, even if they're already inside the castle walls.”
IP Cameras Under Surveillance
APT28 has also over the past two or more years targeted private IP cameras and municipal traffic cameras along Ukraine’s border near crossings, military installations and rail stations, in order to track the movement of materials into the war-torn country, the advisory revealed.
“The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds,” it explained.
Over 10,000 devices were targeted in this way, in Ukraine, Hungary, Romania, Slovakia, Poland and other countries.
“The targeting of IP cameras, for intelligence collection purposes, is interesting and is a tactic generally associated with state-sponsored adversaries like Iron Twilight where they anticipate a physical effects aspect to their operations,” said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.
“As an intelligence provider to the Russian military this access would assist in the understanding of what goods were being transported, when, in what volumes, and support kinetic targeting.”