Organizations from 13 nations have been targeted, including those in the United States, Germany, and France.
Western logistics and technology companies engaged in the transportation, coordination, and delivery of foreign assistance to Ukraine are being targeted by a Russian state-sponsored cyber unit, the Cybersecurity and Infrastructure Security Agency (CISA) said in a May 21 advisory jointly issued with multiple global agencies.
The campaign, which began in 2022, is being carried out by a military unit within the Russian General Staff Main Intelligence Directorate (GRU) called Unit 26165, which is known in the cybersecurity community under various names such as APT28, Fancy Bear, Forest Blizzard, and BlueDelta.
Government organizations and commercial entities have been targeted in the campaign. Affected sectors include the defense industry, IT services, air traffic management, maritime entities, and transportation hubs such as airports and shipping ports.
The entities targeted by unit 26165 were located in 13 nations—Ukraine, the United States, Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, and Slovakia.
Unit 26165 has been able to gain access to systems of multiple organizations. After gaining entry into a target’s systems, the threat actor sought access to accounts holding sensitive information regarding shipments such as manifests and train schedules, according to the advisory.
The accounts contained details on aid shipments to Ukraine, including sender, recipient, cargo contents, travel route, destination, and container registration numbers.
Unit 26165 also likely gained access to private cameras of targets at key locations, including military installations, border crossings, and rail stations, the advisory stated, adding that the threat actor hacked municipal service portals to access traffic cams.
Over 80 percent of targeted cameras were located in Ukraine, with the remaining cameras in Romania, Poland, Hungary, Slovakia, and other places.
“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting,” the advisory said, asking them to increase monitoring and prepare their network defenses, assuming that they would be targeted.
The joint advisory was issued by 21 global agencies from multiple nations, including the United States, France, the United Kingdom, and Germany.
In a May 21 statement, Paul Chichester, the director of operations at the UK’s National Cyber Security Centre, an agency involved in issuing the advisory, said the “malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organizations.”
“We strongly encourage organizations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
