Russian APT28 Cyberespionage Campaign Targets Aid Efforts to Ukraine
Since 2022, the Russian state-sponsored threat group APT28 (Fancy Bear/Forest Blizzard), linked to the GRU’s 85th GTsSS (military unit 26165), has conducted a sustained cyberespionage campaign against organizations supporting Ukraine. The operation, detailed in a joint advisory from 21 intelligence and cybersecurity agencies across nearly a dozen countries, targeted entities in defense, transportation, IT services, air traffic, and maritime sectors across 12 European nations and the U.S.
Tactics and Techniques
APT28 employed a mix of stealthy intrusion methods, including:
- Password spraying and brute-force attacks
- Spear-phishing (credential theft and malware delivery)
- Exploitation of known vulnerabilities, such as:
- CVE-2023-23397 (Outlook NTLM relay)
- CVE-2023-38831 (WinRAR)
- Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
- SQL injection and VPN exploits against internet-facing infrastructure
To evade detection, the group routed communications through compromised small office/home office (SOHO) devices near targets. Once inside networks, they used native tools (PsExec, Impacket, RDP) and open-source utilities (Certipy, ADExplorer) for lateral movement and data exfiltration.
Surveillance and Data Theft
APT28 prioritized compromising accounts with access to aid shipment details, including:
- Sender/recipient information
- Cargo contents and travel routes
- Container registration numbers
- Destination data
They also enrolled hijacked accounts in multi-factor authentication (MFA) to maintain persistent access. Among the malware used were the Headlace and Masepie backdoors, with data exfiltration methods tailored to each victim’s environment—often leveraging living-off-the-land (LOtL) techniques to avoid detection.
Monitoring Aid Shipments via Compromised Cameras
A key aspect of the campaign involved hacking internet-connected cameras—including those at border crossings, military installations, rail stations, and traffic monitoring points—to track material movements into Ukraine. The advisory notes that over 10,000 cameras were targeted, with 80% in Ukraine and nearly 1,000 in Romania.
Google Threat Intelligence analyst John Hultquist warned that the group’s objectives extend beyond surveillance, aiming to disrupt aid efforts through cyber or physical means. The targeting of logistics and transportation networks suggests a broader strategy to undermine Ukraine’s supply chains.
Impact and Scope
The campaign affected organizations in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the U.S. The advisory provides indicators of compromise (IoCs), including malicious scripts, threat actor-controlled email providers, and IP addresses linked to the attacks. While mitigation guidance was included, the report underscores the persistent and adaptive nature of APT28’s operations.
US Transportation Command cybersecurity rating report: https://www.rankiteo.com/company/us-transportation-command
"id": "US-1765249605",
"linkid": "us-transportation-command",
"type": "Cyber Attack",
"date": "1/2022",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': ['Defense',
'Transportation',
'IT Services',
'Aviation',
'Maritime'],
'location': ['United States',
'Bulgaria',
'Czechia',
'France',
'Germany',
'Greece',
'Italy',
'Moldova',
'Netherlands',
'Poland',
'Romania',
'Slovakia',
'Ukraine'],
'type': ['Defense',
'Transportation',
'IT Services',
'Air Traffic',
'Maritime']}],
'attack_vector': ['Password spraying',
'Spear-phishing',
'Exploiting Microsoft Exchange vulnerabilities',
'Exploiting Outlook NTLM vulnerability (CVE-2023-23397)',
'Exploiting Roundcube webmail vulnerabilities '
'(CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)',
'Exploiting WinRAR vulnerability (CVE-2023-38831)',
'Exploiting internet-facing infrastructure and corporate '
'VPNs via public vulnerabilities and SQL injection',
'Credential guessing/brute force'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Email data',
'Office 365 user lists',
'Sensitive aid shipment details',
'Active Directory information',
'Personally Identifiable '
'Information']},
'date_detected': '2022',
'description': 'A Russian state-sponsored cyberespionage campaign attributed '
'to APT28 (Fancy Bear/Forest Blizzard) has been targeting and '
'compromising international organizations since 2022 to '
'disrupt aid efforts to Ukraine. The hackers targeted entities '
'in the defense, transportation, IT services, air traffic, and '
'maritime sectors in 12 European countries and the United '
'States. They also compromised private cameras to monitor the '
'movement of materials into Ukraine.',
'impact': {'data_compromised': 'Email accounts, Office 365 user lists, '
'sensitive information on aid shipments '
'(sender/recipient, cargo content, travel '
'routes, container registration numbers, '
'destination), Active Directory information',
'identity_theft_risk': 'High (Personally Identifiable Information '
'exposed)',
'operational_impact': 'Disruption of aid shipments to Ukraine, '
'potential physical or cyber disruption of '
'support efforts',
'systems_affected': 'Corporate networks, email systems, '
'internet-connected cameras, VPNs, Microsoft '
'Exchange servers'},
'initial_access_broker': {'high_value_targets': 'Cybersecurity, transport '
'coordination, partner '
'companies'},
'investigation_status': 'Ongoing',
'motivation': 'Disrupt aid efforts to Ukraine, cyberespionage, tracking '
'movement of materials into Ukraine',
'post_incident_analysis': {'root_causes': ['Exploitation of unpatched '
'vulnerabilities',
'Spear-phishing and credential '
'attacks',
'Trust relationship exploitation',
'Compromised SOHO devices for '
'stealth']},
'recommendations': 'General security mitigations, detections, and indicators '
'of compromise provided in the joint advisory. '
'Organizations involved in aid to Ukraine should consider '
'themselves targeted.',
'references': [{'source': 'Joint advisory from 21 intelligence and '
'cybersecurity agencies'},
{'source': 'BleepingComputer (John Hultquist, Google Threat '
'Intelligence Group)'}],
'stakeholder_advisories': 'Organizations involved in sending material aid to '
'Ukraine should consider themselves targeted and '
'take precautionary measures.',
'threat_actor': 'APT28 (Fancy Bear/Forest Blizzard, Russian GRU 85th GTsSS, '
'military unit 26165)',
'title': 'Russian State-Sponsored Cyberespionage Campaign by APT28 (Fancy '
'Bear/Forest Blizzard)',
'type': 'Cyberespionage',
'vulnerability_exploited': ['CVE-2023-23397',
'CVE-2020-12641',
'CVE-2020-35730',
'CVE-2021-44026',
'CVE-2023-38831']}