The United Kingdom, in collaboration with international allies, has unmasked a pervasive and malicious cyber campaign orchestrated by Russia’s military intelligence service, the GRU.
The offensive has systematically targeted Western logistics entities and technology companies since 2022, posing a significant threat to critical infrastructure and support efforts for Ukraine.
In a comprehensive new advisory, the UK’s National Cyber Security Centre (NCSC), a division of GCHQ, and partners from ten nations, including the United States, Germany, Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France, and the Netherlands, revealed intricate details of the cyber intrusions.
Military unit 26165 of the GRU, also known as APT28, has been identified as the perpetrator behind these attacks.
The malicious campaign has specifically aimed at organizations pivotal to the coordination, transport, and delivery of aid to Ukraine.
This includes entities across the defense, IT services, maritime, airports, ports, and air traffic management systems sectors within multiple NATO member states.
Investigations have shown that Unit 26165 gained initial access to victim networks through a variety of previously disclosed techniques.
These methods included credential guessing, sophisticated spear-phishing campaigns, and the exploitation of Microsoft Exchange mailbox permissions.
Disturbingly, the GRU unit also targeted internet-connected cameras positioned at Ukrainian border crossings and near military installations, seemingly to monitor and track aid shipments to Ukraine.
Paul Chichester, NCSC Director of Operations, said: “This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine.”
He highlighted the unwavering commitment of the UK and its partners to “raising awareness of the tactics being deployed” and strongly urged organizations to “familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
This exposure comes as the UK continues to demonstrate steadfast support for Ukraine in the face of Russia’s ongoing and “barbaric war.”
The UK has committed a substantial £13 billion in military aid to Ukraine. Just this week, 100 new sanctions were announced against Russia, targeting entities that bolster its military, energy, and financial institutions.
These measures followed Russia’s largest drone attack of the war last weekend.
The NCSC’s advisory not only details the extent of the threat but also provides crucial mitigation advice to help organizations defend against this malicious activity.
APT28, also known as Fancy Bear, Sofacy, or Sednit, is a highly sophisticated Russian state-sponsored hacking group believed to be affiliated with the GRU (Main Intelligence Directorate), Russia’s military intelligence agency.
Active since at least 2008, APT28 is primarily engaged in cyber espionage, aiming to collect intelligence that benefits the Russian government’s strategic and geopolitical interests.
Their operations often involve spear-phishing campaigns, using carefully crafted emails to trick high-value targets into divulging credentials or downloading malware. They are known for exploiting zero-day vulnerabilities in widely used software and deploying custom malware like XAgent, X-Tunnel, and SpyPress for persistent access and data exfiltration.
APT28 has been linked to numerous high-profile cyberattacks globally. Notable incidents include the 2016 hack of the Democratic National Committee (DNC) during the US presidential election, intrusions into the German Bundestag and French TV5Monde, and ongoing campaigns targeting government entities, defense firms, and critical infrastructure in Ukraine, Europe, and North America.
Their adaptability and use of readily available infrastructure make them a persistent and formidable threat in the cybersecurity landscape.
