Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of... The post Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Russian GRU Unit 26165 (APT28/Fancy Bear)
## Attribution & Identity
**Attribution:** Russian state-sponsored cyber espionage campaign attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center military Unit 26165.
**Known Aliases and Associated Groups:** APT28, Fancy Bear, Forest Blizzard, Blue Delta.
**MITRE ATT&CK ID:** G0007
## Activity Summary
The actor has been conducting a cyber espionage campaign for over two years, intensifying activity following Russia’s invasion of Ukraine in February 2022. The objective has been to gain a granular understanding of weapon systems and support being provided to Ukraine by targeting the entire logistics and supply chain supporting this aid. This includes monitoring equipment movement via air, sea, and rail. The actors compromised internet-connected cameras (IoT devices) at Ukraine’s borders to track supply movements and conducted reconnaissance on infrastructure components related to railway management. The campaign has successfully targeted dozens of organizations, including government and private sector entities across various modes of transportation.
## Tactics, Techniques & Procedures
- **Initial Access:** Password spraying, credential guessing/brute force attacks, spearphishing campaigns (aimed at stealing credentials or delivering malware), exploitation of known software vulnerabilities.
- **Exploitation:** Exploiting Microsoft Exchange permissions, exploitation of vulnerabilities in Outlook (NTLM flaw), Roundcube webmail, and WinRAR.
- **Infrastructure Targeting:** Exploiting publicly known vulnerabilities in corporate VPNs and utilizing SQL injection methods against internet-facing infrastructure.
- **IoT Compromise:** Exploitation and mass compromise of IP cameras and SOHO security appliances to gain real-time situational awareness.
- **General:** Employing a blend of known TTPs, often leveraging non-sophisticated methods in a highly orchestrated manner.
- **TTP Mapping:** Listed under MITRE ATT&CK ID G0007.
## Targeting
- **Sectors:** Technology companies, logistics companies (supporting transport/delivery of foreign aid to Ukraine), defense industry, transportation infrastructure (ports, airports), maritime operations, air traffic management, IT service providers, and manufacturing entities involved in industrial control system components (railway management).
- **Geography:** NATO member states, Ukraine, and international organizations. Specific targeted countries include Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the U.S.
- **Victims:** Dozens of organizations involved in nearly every mode of transportation; includes both government and private sector entities tied to aid delivery.
## Tools & Infrastructure
- **Malware families used:** Not explicitly detailed, but TTPs suggest custom or commodity malware utilized via spearphishing.
- **Infrastructure:** Targeting specific IoT assets (IP cameras) across Ukraine and neighboring NATO countries for persistent surveillance; techniques include credential guessing and brute force. No specific C2 domains or IPs were defanged in the provided text.
## Implications
This campaign represents a highly orchestrated intelligence collection effort using cyber means against both IT and cyber-physical systems (leveraging IoT flaws) to support kinetic warfighting objectives against Ukraine. The focus on the supply chain provides the adversary with actionable intelligence on equipment movement, potentially aiding in kinetic targeting of critical infrastructure and logistics nodes. The reliance on known, non-sophisticated TTPs suggests a high operational tempo and a posture of aggressive targeting against known weak points.
## Mitigations
- Increase monitoring and threat hunting for known TTPs associated with GRU 26165.
- Posture network defenses with a presumption of targeting.
- Secure remote access: Disable if not required; if necessary, use strong authentication, VPNs, and Multi-Factor Authentication (MFA) for management accounts.
- Protect IP cameras: Place them behind firewalls, allowing communication only from approved IP addresses.
- Regularly review authentication activity for remote access and investigate anomalies.
- Audit user accounts to ensure they reflect current organizational needs.
- Configure, fine-tune, and monitor logging for ongoing security oversight.
- Patch known vulnerabilities (e.g., those exploited in Outlook, Roundcube, WinRAR, VPNs).