Western governments are raising a red flag over a growing Russian cyber threat.
In a joint cybersecurity advisory, intelligence and cybersecurity agencies from the United States, the United Kingdom, Germany, France, Poland, and more than a dozen other allied nations have warned that a Russian military cyber unit is behind an aggressive campaign targeting logistics and technology companies that help Ukraine.
The advisory, issued this week, points directly at the Russian General Staff Main Intelligence Directorate (GRU) unit 26165, also known in the cybersecurity world as APT28, Fancy Bear, and Forest Blizzard.
“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations,” the advisory stated.
Who’s being targeted?
Since Russia’s invasion of Ukraine began in 2022, the hackers linked to one of the GRU’s most notorious divisions have allegedly expanded their operations to attack critical parts of the supply chain supporting Ukraine. The hackers have gone after:
- Defense contractors.
- Transport hubs like airports and ports.
- Air traffic control systems.
- Maritime operators.
- IT service providers.
The affected countries include the United States, Germany, Poland, France, Romania, Ukraine, the Netherlands, the Czech Republic, Slovakia, Greece, Bulgaria, Moldova, and Italy.
The joint report reveals that the attackers not only infiltrate the main target company but also go after partners and connected firms, abusing trust relationships to spread deeper.
In one case, the hackers stole credentials giving access to “sensitive information on shipments, such as train schedules and shipping manifests,” the advisory notes.
How they’re getting in
The Russian hackers rely on a mix of old and new tactics to break in, including:
- Credential guessing and brute-force attacks.
- Spearphishing emails with fake login pages impersonating Western email platforms.
- Malware, including variants like HEADLACE and MASEPIE.
- Exploiting known software vulnerabilities like:
- Microsoft Outlook (CVE-2023-23397).
- WinRAR (CVE-2023-38831).
- Roundcube webmail bugs.
The group also leverages tools like Tor and commercial VPNs to hide their tracks and rotate IP addresses frequently.
IP cameras as spy tools
One of the more chilling revelations is that the Russian hackers also targeted internet-connected cameras, particularly those near border crossings and railway stations in Ukraine.
Using default passwords and hacking tricks, the attackers tried to access live feeds to monitor shipments of weapons and supplies.
According to the advisory, 81% of these attempts were aimed at Ukrainian cameras, followed by Romania (9.9%), Poland (4.0%), Hungary (2.8%), and Slovakia (1.7%).
What can be done?
Authorities believe that the threat is far from over. They say the campaign will likely continue as long as Western countries support Ukraine.
The advisory outlines steps to defend against GRU’s tactics. These include:
- Enforcing multi-factor authentication.
- Applying security patches and updating software regularly.
- Monitoring networks for anomalous activity.
- Segregating sensitive systems with Zero Trust principles.
- For IP cameras, disable unnecessary remote access and use VPNs for secure viewing.
As Western aid remains critical to Ukraine’s defense, Russia’s cyber operations aim to disrupt supply chains and gather intelligence.
Behind every truck, plane, or ship carrying aid to Ukraine, there’s now a digital battlefield, where hackers lurk, watching, probing, and trying to intercept help before it arrives.
