Ciphers Security News APT28 Targets Western Logistics and Tech Firms Supporting Ukraine Aid
News

APT28 Targets Western Logistics and Tech Firms Supporting Ukraine Aid

APT28 Targets Western Logistics and Tech Firms Supporting Ukraine Aid

Russia's GRU Unit 26165 — the state military intelligence group behind the APT28 (also known as Fancy Bear, Forest Blizzard, and BlueDelta) threat cluster — has been conducting a sustained cyber-espionage campaign against Western logistics companies, defense contractors, and technology firms since 2022. The campaign, documented in CISA joint advisory AA25-141A, targets organizations involved in coordinating, transporting, and delivering foreign assistance to Ukraine. Critically, attackers exploited IP cameras at Ukrainian border crossings to monitor aid shipments in real time.

APT28: Technical Details

APT28 (Advanced Persistent Threat 28) is the operational designation for Russia's GRU (Main Intelligence Directorate) 85th Main Special Service Center, military unit 26165. The group has operated for over a decade, responsible for attacks on the German Bundestag, the 2016 U.S. election infrastructure, and multiple NATO member networks. The logistics campaign represents a strategic evolution: rather than purely disrupting targets, APT28 is conducting sustained intelligence collection on Western military aid supply chains.

The joint advisory — co-authored by CISA, the Department of Defense, and multiple allied agencies — attributes the campaign to GRU Unit 26165 with high confidence, citing matching tooling, infrastructure, and TTPs (Tactics, Techniques, and Procedures) across dozens of victim organizations.

Initial Access Methods

APT28 used three primary vectors to breach logistics and technology targets:

Password spraying and brute force: Attackers systematically tested credential combinations against internet-facing services, particularly Microsoft 365, Roundcube webmail, and VPN concentrators. This technique (MITRE ATT&CK T1110 — Brute Force) avoids account lockouts by distributing guesses across time and source IPs.

Spear-phishing with CVE exploitation: Two specific CVEs feature prominently in the campaign:

  • CVE-2023-23397 (CVSS 9.8 — Critical): A zero-click vulnerability in Microsoft Outlook where a maliciously crafted calendar invite causes the victim's machine to automatically authenticate to an attacker-controlled server via NTLM (NT LAN Manager) — a Windows authentication protocol. The attacker captures the NTLM hash without the victim opening any attachment or clicking any link. Patches were released in March 2023 but unpatched systems remained targets through 2024–2025.
  • CVE-2023-38831 (CVSS 7.8 — High): A WinRAR flaw enabling arbitrary code execution when a victim opens a crafted archive file. Attackers distributed weaponized WinRAR packages via spear-phishing emails themed around logistics briefings, shipping manifests, and aid coordination documents.

VPN and SOHO device exploitation: Unpatched vulnerabilities in widely deployed VPN appliances and small-office/home-office (SOHO) network devices — the kind commonly used in regional logistics offices — gave APT28 initial network footholds that were then used to tunnel deeper into corporate environments.

Post-Compromise Tooling

Once inside a target network, APT28 deployed a suite of purpose-built malware:

  • HEADLACE: A modular backdoor providing persistent remote access and tasking capability. HEADLACE communicates over HTTPS, blending with normal web traffic, and can receive updated modules post-deployment.
  • MASEPIE: A credential harvesting implant that extracts stored passwords, browser session tokens, and email authentication credentials.
  • OCEANMAP and STEELHOOK: Additional implants used for lateral movement staging and exfiltration preparation.

For lateral movement within networks (MITRE ATT&CK T1021), APT28 used legitimate Windows administration tools — Impacket (an open-source Python framework for network protocol manipulation), PsExec (a Microsoft Sysinternals remote execution tool), and RDP (Remote Desktop Protocol). Using these tools makes attacker activity harder to distinguish from legitimate administrator behavior. They also used Certipy, an Active Directory certificate exploitation tool, to abuse misconfigured PKI (Public Key Infrastructure) configurations for privilege escalation and persistence.

Exfiltration (MITRE ATT&CK T1114 — Email Collection) occurred through Exchange Web Services (EWS) and IMAP APIs, allowing attackers to silently extract mailbox contents over months without triggering bulk download alerts.

The IP Camera Angle

The most operationally significant element of the campaign is APT28's targeting of IP security cameras located near Ukrainian border crossings and military staging sites. By accessing camera streams via RTSP (Real Time Streaming Protocol — a network protocol for streaming live video), attackers could monitor the movement of aid convoys entering Ukraine in near-real time. This represents MITRE ATT&CK T1125 (Video Capture) applied at a strategic intelligence level: not just stealing data, but watching physical movements of foreign assistance.

Attackers gained camera access using default factory credentials and brute-forced passwords — a reminder that the firmware security posture of networked cameras directly affects national security operations when those cameras overlook sensitive transit routes.

Who Is Affected

The advisory identifies organizations across nearly every mode of transportation as targets:

  • Maritime operations: Port authorities, shipping companies, and freight forwarders in NATO member states
  • Air transport: Airlines, cargo carriers, and air traffic management entities
  • Rail infrastructure: Including ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) systems that operate rail signaling and logistics
  • Defense contractors: Particularly those involved in procurement, warehousing, and delivery of military materiel
  • Technology companies: IT service providers supporting any of the above sectors

The primary geographic targets are NATO member states, Ukraine, and international organizations involved in foreign assistance coordination. Poland, Germany, the Baltic states, and the United Kingdom are among the most heavily targeted based on their role in aid transit routes.

Exploitation Status and Threat Landscape

This is not a theoretical threat — APT28's logistics campaign has been active since 2022, coinciding with Russia's full-scale invasion of Ukraine, and shows no sign of cessation. The advisory does not confirm a specific CISA KEV (Known Exploited Vulnerabilities) listing for the campaign's initial access CVEs in this logistics context, but CVE-2023-23397 was added to the KEV catalog shortly after its disclosure.

Voice phishing (vishing — MITRE ATT&CK T1598) targeting help desks and IT support personnel at logistics firms was also observed, consistent with APT28's social engineering tradecraft used in other campaigns.

The sustained, strategic nature of the operation — collecting intelligence on aid quantities, routing, and timing rather than purely causing disruption — suggests GRU tasking focused on battlefield intelligence support for Russian military planning.

What You Should Do Right Now

  • Patch CVE-2023-23397 immediately if any Microsoft Outlook deployments remain unpatched. Run Get-MailboxPermission in Exchange to audit whether unauthorized permissions have been added to mailboxes — a persistence indicator specific to this campaign.
  • Audit VPN and SOHO device firmware versions against vendor advisories. Replace end-of-life devices that no longer receive security updates.
  • Rotate all credentials for internet-facing services, particularly Microsoft 365, Roundcube, and VPN appliances. Enable MFA (Multi-Factor Authentication) on every remote access method.
  • Audit IP camera deployments at any sensitive facilities. Change default credentials, isolate cameras on a dedicated VLAN (Virtual Local Area Network) with no internet egress, and update firmware.
  • Hunt for HEADLACE and MASEPIE indicators: Review endpoint telemetry for suspicious HTTPS beaconing, Impacket usage patterns, and EWS API calls made outside business hours. CISA's STIX threat intelligence file for the advisory provides machine-readable IOCs (Indicators of Compromise).
  • Review Exchange mailbox permissions for unexpected delegates or forwarding rules, which APT28 uses to maintain persistent email access after password resets.

Background: Understanding the Risk

Russia's targeting of logistics networks is a form of intelligence collection against the Western logistics kill chain — the end-to-end process by which weapons, vehicles, and ammunition move from donor countries to Ukrainian military units. Understanding these supply lines helps Russian military planners anticipate which equipment types will arrive, when, and in what quantities.

This campaign is distinct from Russia's broader destructive cyberattacks (such as the wiper malware used against Ukrainian infrastructure) because the primary objective here is collection, not disruption — though the capability to disrupt is almost certainly present in compromised networks.

APT28 has a decades-long record of supply chain and logistics targeting. During the 2016 U.S. presidential campaign, the group targeted the Democratic National Committee and Clinton campaign in a similar intelligence-collection operation. The logistics campaign represents an expansion of the same methodology into physical supply chains, using digital access to gain visibility into physical movements.

The joint advisory was co-signed by agencies in the U.S., UK, Germany, France, Poland, and multiple other NATO members — an unusually broad public attribution that reflects both the seriousness of the threat and the strength of the evidence gathered across victim organizations.

For defenders in the logistics, defense, and transport sectors: if your organization touches Ukraine aid coordination in any capacity — freight brokerage, customs clearance, warehousing, fleet management — you should treat this advisory as directly applicable and conduct an immediate threat hunt using the provided IOCs.

Conclusion

Russia's GRU Unit 26165 has been running a patient, multi-year intelligence operation against Western logistics infrastructure, using CVE-2023-23397, custom malware, and even physical IP cameras to track aid flowing into Ukraine. Organizations in defense contracting, maritime, rail, and air transport that have not audited their systems against the indicators in CISA AA25-141A should prioritize that work immediately. The most critical single action: patch Outlook, rotate credentials, and audit Exchange mailbox permissions for unauthorized forwarding rules.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

CVE-2024-36401: GeoServer RCE Exploited at US Federal Agency — CISA IR Lessons
News

CVE-2024-36401: GeoServer RCE Exploited at US Federal Agency —

May 5, 2026
Pro-Russia Hacktivists Target Water, Food, and Energy OT Systems via Exposed VNC
News

Pro-Russia Hacktivists Target Water, Food, and Energy OT Systems

May 5, 2026
CISA and FBI Warn of Interlock Ransomware Using ClickFix to Hit Critical Infrastructure
News

CISA and FBI Warn of Interlock Ransomware Using ClickFix

May 4, 2026
CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs
News

CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs

May 4, 2026
Iran-Linked Handala Group Sends Threatening WhatsApp Messages to US Troops, Leaks 2,379 Marines' Data
News

Iran-Linked Handala Group Sends Threatening WhatsApp Messages to US

May 4, 2026
CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs
News

CISA AA26-097A: CyberAv3ngers Target 5,219 Exposed Rockwell Allen-Bradley PLCs

May 4, 2026