Latest news with #APT28
Yahoo
6 days ago
- Politics
- Yahoo
Russia wages silent cyberwar on Western supply chains
Imagine someone sneaking into your house, not through the front door, but through your email, your Wi-Fi or even your smart doorbell camera. That's exactly the warning in a new cybersecurity report from U.S. and international intelligence agencies: Russian military hackers have been trying to break into the digital infrastructure of Western logistics and tech companies, particularly those helping Ukraine. The attackers are part of Russia's military intelligence agency, known as the Glavnoye Razvedyvatelnoye Upravlenie (GRU), and specifically a cyberunit called the 85th Main Special Service Center, also referred to as Unit 26165. In the cybersecurity world, this group is more infamously known as 'Fancy Bear,' 'APT28,' 'Forest Blizzard' or 'BlueDelta.' It represents years of tracking by threat researchers across the globe who've linked the group to some of the highest-profile cyberespionage campaigns in recent memory. What makes this group especially dangerous is its mission and method. Unlike common cybercriminals who are after credit card numbers or quick financial gain, GRU Unit 26165's goal is state-level espionage: to infiltrate, observe and manipulate critical digital systems that power economies and militaries. Think ports, air traffic systems, IT companies that manage cargo routing software and even the infrastructure behind customs clearance. These aren't just business targets, they're strategic assets in times of war. Since Russia's invasion of Ukraine in 2022, this cyberunit has gone into overdrive. As Western countries began ramping up military and humanitarian aid to Ukraine, the GRU focused its efforts on the logistics and tech companies that support those flows. It didn't just try to hack the governments sending the aid — it went after the entire digital infrastructure involved in getting it meant targeting trucking companies coordinating military cargo. It meant breaching email systems at port authorities and tracking aircraft manifests at airports. It meant going after companies that manage GPS routing, warehouse inventories and customs data. And, perhaps most disturbingly, it meant hijacking internet-connected security cameras. These weren't just casual attempts to spy. The GRU was actively compromising Real Time Streaming Protocol (RTSP) camera feeds at border crossings, railway stations and key road junctions across Ukraine and neighboring NATO countries. From there, it could watch real-time footage of trucks, trains or convoys delivering aid and supplies. The goal? Build a live picture of how support for Ukraine was physically moving through Europe and find ways to delay, reroute or sabotage it. According to the report on GRU tactics, one of the group's go-to methods is phishing, sending fake but convincing emails that lure people into clicking malicious links or entering passwords on forged login pages. These messages often look like they're from trusted sources, government agencies or well-known tech providers, and are often written in the target's native language. In many cases, the attackers use compromised small office or home office routers to host these fake pages, making them harder to the hackers get a foot in the door, the GRU uses malware, custom-built programs designed to spy, steal or quietly hijack systems. In this campaign, it deployed malware strains called HEADLACE and MASEPIE, which allowed GRU to collect passwords, intercept emails and maintain access over time. The group also exploited known software vulnerabilities, including critical flaws in Microsoft Outlook and other email platforms, which let it harvest login credentials through rogue calendar invites and in the popular file compression tool WinRAR. Each of these bugs opened a backdoor that allowed attackers to slip past defenses without setting off alarms. Once inside a network, GRU operatives moved methodically. They searched email inboxes for logistics details like shipping manifests, sender and recipient data, tracking numbers, transport routes, and cargo descriptions. They didn't just grab the data and leave. Instead, they set up camp, adjusting email permissions, enrolling compromised accounts in multifactor authentication (MFA) to deepen trust and quietly collecting sensitive information for weeks or even months. Their aim wasn't just access, it was prolonged invisibility. The GRU studied the tempo of global trade, mapping every point where aid or military equipment might flow. The report doesn't list all the victims, but it makes clear the U.S. wasn't spared. The attackers targeted logistics and technology companies across at least 13 countries, including the U.S., Germany, France, Poland and Ukraine. At the heart of it all is a simple truth: Cyberhygiene matters, and it starts with access. The report advises organizations to treat passwords like keys to the castle. That means ditching weak or reused credentials, banning the use of default logins and embracing MFA wherever possible, especially hardware-based MFA like smartcards or security tokens that are much harder to steal or spoof than SMS codes or app-based prompts. Even better, companies should begin moving away from passwords altogether, turning to more modern approaches, like single sign-on systems or certificate-based authentication, that reduce the chances of stolen credentials being used at all.'Think about how many sticky notes are on desks or passwords that are shared through a quick [direct message]. It's 2025. It takes one second of compromise for every credential you ever sent to be a new attack vector that gets used against your customers and coworkers,' Garrett Allen, FreightTech expert and co-founder of LoadPartner, told FreightWaves. Beyond access, the report emphasizes the importance of watching every corner of your digital environment. This isn't just about having antivirus software, it's about adopting a mindset of continuous surveillance. Network defenders should be logging who accesses what, flagging unusual login times or geographic anomalies, and tracking data movement across the system. The report suggests using automated tools that can help spot and shut down attackers before they move laterally or exfiltrate sensitive files. Then comes one of the most overlooked but essential defenses: updating software. Many of the techniques used by GRU hackers relied on known vulnerabilities, some of which had patches available for months or even years. This includes high-profile flaws in Microsoft Outlook, Roundcube and WinRAR, all of which were exploited to quietly gain entry. Organizations need a structured, enforced update policy that prioritizes high-risk systems and doesn't rely on manual updates or once-a-quarter maintenance windows. But the report goes further, urging companies to rethink their digital architecture entirely. It recommends segmenting networks so that if one part is breached, the attackers can't move freely throughout the system. Access should be granted based on role and necessity — email admins shouldn't have domainwide privileges, and vendor accounts should be tightly controlled and monitored. Organizations are also urged to filter traffic aggressively. That means using firewalls to block access to known malicious domains, disabling unnecessary remote services and watching for logins from public VPNs. Finally, businesses need to recognize that their supply chain partners could be their weakest link. Vendors, contractors and connected third parties must be held to the same cybersecurity standards, and their access to internal systems should be scrutinized. . 'This makes me think about some of the legacy-to-modern bridges we have, like ELD aggregators holding credentials for thousands of carriers. What happens when one of those gets compromised?' said Allen. Trust, in the digital realm, must be earned continuously. As the report makes painfully clear, sometimes the greatest danger isn't the hackers you know. It's the silent, overlooked connection that lets them walk right in. Articles by Grace Sharkey Freight fraud: Your supply chain is showing US moves to stop China parcel shipments bearing counterfeit postal labels Avocados, auto parts and ambushes: Inside Mexico's cargo theft crisis The post Russia wages silent cyberwar on Western supply chains appeared first on FreightWaves.
Epoch Times
22-05-2025
- Business
- Epoch Times
Russia Targeting, Breaching Western Organizations Aiding Ukraine: CISA Joint Advisory
Western logistics and technology companies engaged in the transportation, coordination, and delivery of foreign assistance to Ukraine are being targeted by a Russian state-sponsored cyber unit, the Cybersecurity and Infrastructure Security Agency (CISA) said in a May 21 The campaign, which began in 2022, is being carried out by a military unit within the Russian General Staff Main Intelligence Directorate (GRU) called Unit 26165, which is known in the cybersecurity community under various names such as APT28, Fancy Bear, Forest Blizzard, and BlueDelta.
Yahoo
22-05-2025
- Politics
- Yahoo
Russian military hackers attack NATO logistics
A Russian state-sponsored hacker group has been conducting a large-scale cyberattack against logistics and technology companies involved in delivering international assistance to Ukraine since 2022. At least 13 NATO member countries and Ukraine have been targeted. Source: analytical report from the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security Details: According to the report, a unit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation – the 85th Main Special Service Centre (military unit 26165), also known in the cybersecurity community under names such as Fancy Bear, APT28, Forest Blizzard or BlueDelta – has significantly increased cyber operations against Western infrastructure since late February 2022. The main targets of the campaign have been logistics companies, IT businesses and transport infrastructure that coordinate, transport and deliver foreign assistance to Ukraine. Quote: "These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organisations: Defence Industry Transportation and Transportation Hubs (ports, airports, etc.) Maritime Air Traffic Management IT Services" Details: Reconnaissance was also recorded against at least one business involved in manufacturing components for industrial control systems (ICS), specifically for railway management. One of the priority targets for Russian hackers has been transport waybills, including information on train, aircraft and container numbers that clearly show what exactly is heading to Ukraine and when. The report stated that thousands of IP cameras at border checkpoints and railway hubs had been compromised, giving Russian intelligence the ability to monitor humanitarian assistance convoys in real time. The cyberattacks have affected at least 13 countries, including Czechia, Germany, Poland, Romania, Ukraine and the United States. Support Ukrainska Pravda on Patreon!
West Australian
21-05-2025
- Politics
- West Australian
UK, Australia warn of Russian cyber moves over Ukraine
The United Kingdom and allies including Australia have issued an advisory warning of a Russian state-sponsored cyber campaign targeting the delivery of support to Ukraine and international logistics entities and technology companies. "This malicious campaign by Russia's military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine," Paul Chichester, Director of Operations at the UK's National Cyber Security Centre (NCSC), said. The campaign has also targeted defence, IT services, maritime, airports, ports and air traffic management systems sectors in several members of the NATO military alliance, the NCSC statement said. GRU Unit 26165 - also known as APT 28 or Fancy Bear - is said to have gained access to some networks using a range of techniques, including guessing log-in credentials and spear-phishing - where specific individuals or organisations are targeted in an effort to gain access to a network. Wednesday's advisory was issued in conjunction with Australia, the United States, Germany, the Czech Republic, Poland, Canada, Denmark, Estonia, France and the Netherlands, warning organisations of the elevated threat and urging immediate action to protect themselves. "We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks," Chichester said. with PA
Canberra Times
21-05-2025
- Canberra Times
UK, Australia warn of Russian cyber moves over Ukraine
GRU Unit 26165 - also known as APT 28 or Fancy Bear - is said to have gained access to some networks using a range of techniques, including guessing log-in credentials and spear-phishing - where specific individuals or organisations are targeted in an effort to gain access to a network.
