CISA Says Russian Hackers Targeting Western Supply-Lines to Ukraine

The US government’s cybersecurity agency CISA is sounding the alarm over what it calls an “elevated threat” from Russia’s military-intelligence hackers, warning that Unit 26165 (APT28/Fancy Bear) is systematically zeroing in on Western logistics and technology companies that move weapons, aid and other supplies into Ukraine. 

The alert, issued Wednesday alongside US, UK, German and dozens of other allied agencies, urges organizations in the logistics space to assume they are already in the sights of Russian APTs and to “posture network defenses with a presumption of targeting.” 

According to technical documentation released by CISA, the GRU-linked espionage campaign has been underway since early 2022, expanding as the conflict with Ukraine intensified. 

The agency said shipping brokers, rail operators, port authorities, air-traffic managers, defense contractors and the IT firms that connect them have all been swept up in the operation, with victims logged across at least 13 NATO countries, the United States and Ukraine.

“The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed,” the agency said.

The CISA joint-advisory describes a Moscow hacker playbook that mixes old-school password-spraying and spear-phishing runs with more surgical exploits. The group has been seen launching exploits against Microsoft Outlook’s NTLM bug (CVE-2023-23397) to collect NTLM hashes, and a trio of Roundcube web-mail flaws and last year’s WinRAR archive bug to break in, then piggybacking on home-office routers and other edge gear to hide its tracks.

Once inside, CISA explained that the operators escalate quickly: abusing Exchange mailbox permissions to harvest email at scale, looting Active Directory with Impacket and PsExec, and dropping custom malware such as HEADLACE and MASEPIE to maintain persistence and exfiltrate hijacked data. 

“After an initial compromise using one of the above techniques, Unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions. The actors also conducted reconnaissance of the cybersecurity department, individuals responsible for coordinating transport,  and other companies cooperating with the victim entity,” according to the advisory.

One priority target is shipping manifests, including train, plane and container numbers that CISA notes reveal exactly what is headed to Ukraine and when. The advisory links the network intrusions to a parallel effort that hijacked thousands of IP cameras at border crossings and rail yards, giving Russian intelligence a real-time view of aid convoys.

The government is pushing organizations in the targeted sectors to tighten identity controls, deploy MFA (multi-factor authentication) technology that resists phishing, hunt aggressively for the Outlook, Roundcube and WinRAR exploit chains, and assume any publicly exposed device can be a foothold.   

“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of Unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs),” the agency said.

Related: NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch

Related: Russian APT Exploiting Mail Servers Against Gov, Defense Orgs

Related: France Blames Russia for Cyberattacks on Dozen Entities

Related: Fresh Windows NTLM Vulnerability Exploited in Attacks

Related: Russian GRU Unit Tied to Assassinations Linked to Global Cyberattacks