United States
Australia
United Kingdom
Europe
New Zealand
Canada
The National Security Agency and a group of U.S. and foreign partners issued a cybersecurity advisory warning that Russia’s military intelligence service has been running a sustained cyber-espionage campaign against Western government bodies and commercial logistics, transportation and technology firms, including companies supporting aid to Ukraine.
The alert centers on the Russian General Staff Main Intelligence Directorate’s 85th Main Special Service Center, also known as Unit 26165. The group—widely tracked by security researchers as APT28, Fancy Bear, Forest Blizzard or BlueDelta—has been active in this campaign since at least February 2022, the agencies said.
According to the advisory, Unit 26165 has used a mix of previously known and newly observed techniques to break into targets, including password spraying, spearphishing and manipulating Microsoft Exchange mailbox permissions. The guidance also warns that the actors exploit vulnerabilities in a range of small office/home office devices to hide their operations and proxy malicious traffic.
The agencies said the same operators have targeted internet-connected cameras in Ukraine and neighboring countries, likely to monitor the movement of shipments into Ukraine.
Officials urged at-risk organizations to increase monitoring and threat hunting for known tactics, techniques and procedures and indicators of compromise, to study the group’s methods, and to implement mitigations listed in the advisory. They added that the campaign is expected to continue.
The multination advisory, titled “Russian GRU Targeting Western Logistics Entities and Technology Companies,” includes defensive recommendations for organizations that could be in scope.
