A Persistent Threat to Allies’ Support
Russian military hackers, specifically linked to the GRU’s Unit 26165—commonly known as APT 28, Fancy Bear, or Forest Blizzard—are actively conducting cyber operations targeting Western IT, defense, and transportation firms. This coordinated campaign aims to disrupt the flow of aid to Ukraine amidst Russia’s ongoing invasion, according to a joint cybersecurity advisory issued this Tuesday.
Extensive Operations Since Russia’s Invasion
Since Russia invaded Ukraine over three years ago, Unit 26165 has shifted its focus over time. Initially engaged in espionage, the group has expanded its targets to include logistics entities and technology companies involved in delivering military and humanitarian aid. The advisory notes that the campaign has escalated following setbacks faced by Russian forces in Ukraine, with hackers working to slow or obstruct Western assistance.
Methods of Attack
The threat actors have employed a range of tactics, including credential guessing, spear-phishing emails with malicious links, malware-laden phishing links, and exploiting vulnerabilities such as Microsoft Outlook NTLM. Once inside networks, they have demonstrated stealthy movement, gaining access to sensitive shipment data—covering sender/recipient info, cargo details, travel routes, and deployment points—while remaining largely undetected.
Monitoring Aid Movement via Surveillance Hacks
A significant aspect of this campaign involves hacking into IP cameras and surveillance systems near border crossings, military installations, and transportation hubs—like rail stations and airports—in Ukraine and bordering NATO nations. The hackers used legitimate municipal services such as traffic cameras to monitor aid shipments, gaining real-time intelligence on cargo movements and logistics routes.
Broader Disruption Efforts and Ongoing Threat
This campaign appears linked to previous activity by Russian cyber units targeting aid shipments and logistical networks. The advisory warns organizations to recognize the elevated threat level, enhance their monitoring practices, and assume they are targets of sophisticated attacks. Experts recommend adopting a proactive posture to defend critical networks and sensitive logistics data against ongoing and future cyber efforts.
No Official Comments Yet
The advisory did not specify which companies or organizations have been targeted nor did the Pentagon or NSA respond to inquiries about specific incidents. Meanwhile, the threat underscores the continued role of cyber operations as a force multiplier in Russia’s broader strategic efforts to undermine aid to Ukraine and weaken Western support.
