
The UK and its allies have unveiled a sophisticated cyber campaign by Russia’s military intelligence service targeting Western logistics and technology sectors. The advisory, released by the UK’s National Cyber Security Centre (NCSC) in conjunction with cybersecurity agencies from 10 countries, provides an in-depth analysis of the operations conducted by Russia’s GRU military unit 26165, also known as APT28, Fancy Bear, and other identifiers.
Since early 2022, this cyber campaign has primarily focused on organisations involved in supporting Ukraine’s defence efforts. It has targeted entities within sectors such as defence, IT services, maritime logistics, airports, ports, and air traffic management systems across multiple NATO member states.
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine,” said NCSC Director of Operations Paul Chichester. “The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
Vulnerabilities exploited by APT28 include Microsoft Exchange and VPN systems
According to the NCSC, the Russian GRU leveraged a combination of techniques to infiltrate networks. These techniques included credential guessing and brute-force attacks, spear-phishing emails designed to harvest credentials or deliver malware, and exploiting vulnerabilities within Microsoft Exchange mailbox permissions and other software.
The advisory highlights how Unit 26165 escalated its activities in late February 2022 as Russian military operations in Ukraine faced significant setbacks. The unit expanded its targeting scope to include logistics entities and tech companies integral to the delivery of foreign aid to Ukraine. The cyber actors also targeted internet-connected cameras at Ukrainian border crossings and near military installations to track aid shipments.
The GRU’s campaign has extensively impacted various transportation modes such as air, sea, and rail within NATO countries. Unit 26165 exploited trust relationships to conduct follow-on attacks on additional entities linked to primary targets. It utilised known vulnerabilities such as those in Outlook NTLM (CVE-2023-23397), Roundcube (CVE-2020-12641 among others), corporate VPNs through public vulnerabilities and SQL injection (T1190), and the WinRAR vulnerability (CVE-2023-38831).
To counter these threats, the advisory provides mitigation guidance aimed at enhancing cyber resilience. Organisations are urged to increase network monitoring capabilities, implement multi-factor authentication with robust passkeys, and ensure prompt application of security patches to manage potential vulnerabilities effectively.
The joint cybersecurity advisory represents collaboration between agencies from the UK, US, Germany, Czechia, Poland, Australia, Canada, Denmark, Estonia, France, and the Netherlands. It underscores the importance of recognising the persistent threat from Unit 26165 and advises executives and network defenders in the technology and logistics sectors to enhance their security postures against these sophisticated cyber threats.
As this cyber espionage campaign continues to evolve, entities involved in supporting Ukraine are being asked to remain vigilant against further exploitation attempts. The NCSC advises maintaining an assumed-target mindset while strengthening defensive measures against anticipated threats.