The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, has issued a joint cybersecurity advisory exposing a Russian state-sponsored cyber espionage campaign. The operation, attributed to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center military Unit 26165, has been targeting technology and logistics companies, including those supporting the transport and delivery of foreign aid to Ukraine, for more than two years.
The cybersecurity industry offers overlapping threat intelligence, indicators of compromise, and mitigation strategies related to GRU unit 26165. Although not exhaustive, several well-known threat group names are associated with this unit under MITRE ATT&CK ID G0007 and are commonly referenced within the cybersecurity community. These include APT28, Fancy Bear, Forest Blizzard, and Blue Delta.
The GRU cyber actors are employing a blend of known tactics, techniques, and procedures (TTPs) and are likely linked to the broad exploitation of IP cameras across Ukraine and neighboring NATO countries. In the advisory, titled ‘Russian GRU Targeting Western Logistics Entities and Technology Companies, executives and network defenders at logistics entities and technology companies are called upon to recognize the elevated threat of 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting.
Russia’s GRU 85th GTsSS military Unit 26165, widely known as APT28 or Fancy Bear, has been carrying out a cyber espionage campaign using familiar techniques like password spraying, spearphishing, and exploiting Microsoft Exchange permissions. Following Russia’s invasion of Ukraine in February 2022, this activity intensified. As military efforts stalled and Western aid increased, the group broadened its focus to target logistics firms and tech companies linked to aid delivery. They also compromised internet-connected cameras at Ukraine’s borders to track the movement of supplies.
The GRU Unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of organizations, including both government and private sector entities involved in nearly every mode of transportation, including air, sea, and rail. These cyber actors have focused on entities tied to several key sectors within NATO member states, Ukraine, and international organizations. These sectors include the defense industry, transportation infrastructure such as ports and airports, maritime operations, air traffic management, and IT service providers.
They also carried out reconnaissance on at least one organization involved in manufacturing industrial control system components used in railway management, although there is no confirmation that the entity was successfully compromised.
Throughout the campaign, Unit 26165 actors expanded their operations by identifying and targeting additional organizations within the transportation sector that had business relationships with their original targets. By exploiting these trust-based connections, they attempted to gain deeper access to broader networks. The campaign has targeted entities across several countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the U.S.
To gain initial access to targeted entities, Unit 26165 hackers employed various techniques, including credential guessing and brute force attacks, spearphishing campaigns aimed at stealing credentials or delivering malware, and the exploitation of known software vulnerabilities. Among the vulnerabilities they exploited were the Outlook NTLM flaw, several Roundcube webmail vulnerabilities, and a WinRAR vulnerability. They also targeted internet-facing infrastructure, such as corporate VPNs, using publicly known vulnerabilities and SQL injection methods.
In addition, the actors took advantage of weaknesses in a variety of small office and home office (SOHO) devices. These compromised devices were used to conduct covert operations and to proxy malicious activity through systems located near their intended targets.
The advisory on the Unit 26165 hackers highlighted that Unit 26165 adversaries established persistence on compromised systems by using scheduled tasks, modifying run keys, and placing malicious shortcuts in startup folders. For data exfiltration, these GRU hackers employed a range of techniques tailored to the victim’s environment. They used a combination of custom malware and legitimate system tools, often relying on PowerShell commands to prepare stolen data. In many cases, the data was compressed into zip archives before being uploaded to attacker-controlled infrastructure.
To extract data from email servers, the actors leveraged standard server communication protocols and APIs, including Exchange Web Services (EWS) and the Internet Message Access Protocol (IMAP). They frequently ran periodic EWS queries to collect newly sent or received emails since the last data extraction. The exfiltration infrastructure was typically located in close geographic proximity to the victim, allowing the operation to blend in with normal traffic patterns. The use of legitimate protocols, along with long intervals between exfiltration events, enabled prolonged and undetected access to sensitive information.
To improve security, the advisory on the Unit 26165 hackers identified that organizations should implement network segmentation and restrict access based on device details, environment, and access path. Designing systems around Zero Trust principles is also recommended, with product choices driven by specific, identified risks. Host and network firewalls must be configured to allow only necessary data flows, and lateral movement should be flagged.
Automated tools should regularly audit access logs for anomalies. Endpoint detection and response tools must be deployed across all systems, especially those containing sensitive data like mail servers and domain controllers. Threat modeling should guide monitoring strategies and product selection. Users must be trained to use only approved corporate systems for official work. The use of personal cloud email accounts for government or military communication should be strictly avoided. Network administrators should audit email and web logs to detect unauthorized activity.
Application allowlisting is advised to restrict execution to only necessary scripts and programs. Detection baselines using open-source SIGMA rules can help identify suspicious behavior. To counter spearphishing, email services should include link checking and file detonation. Blocking logins from public VPNs and alerting on their use is recommended, as most organizations do not require access from these sources. Domains associated with suspicious infrastructure, including services like ngrok.io and webhook[dot]site, should be blocked or monitored closely.
To defend against malicious activity targeting IP cameras, the advisory called upon organizations to ensure all devices are supported and up to date with the latest security patches and firmware. Remote access should be disabled if not required. If remote access is necessary, it should be secured with authentication, a VPN, and multi-factor authentication for management accounts when possible.
IP cameras should be protected behind security appliances like firewalls, allowing communication only from approved IP addresses. Administrators should regularly review authentication activity for remote access, investigate anomalies, and audit user accounts to ensure they reflect current organizational needs. Logging should be configured, fine-tuned, and monitored to support ongoing security oversight.
Commenting on the GRU Unit 26165 advisory, Grant Geyer, chief strategy officer at Claroty, wrote in an emailed statement that “while it’s not using sophisticated methods, this is one of the first examples I’ve seen of a highly orchestrated campaign where coordinated and planned cyberattacks are being used against both IT and cyber-physical systems to gain a granular understanding of weapon systems and other support being provided to Ukraine.”
He added that the GRU isn’t just interested in what support nations are providing Ukraine; they have done detailed targeting across the entire supply chain to understand what equipment is moving, when, and how, whether it’s by aircraft, ship, or rail. That level of insight can be used for both general intelligence and for targeting critical infrastructure for kinetic attacks.
“We are used to thinking about cyber attacks as something that is conducted against IT systems,” according to Geyer. “What this advisory demonstrates is that Russia is actively leveraging flaws in IoT assets, such as video surveillance systems, to provide a real-world and real-time picture that can be used to support their war efforts.”
