Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.
Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States.
“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations,” the bulletin said.
The alert comes weeks after France’s foreign ministry accused APT28 of mounting cyber attacks on a dozen entities including ministries, defense firms, research entities, and think tanks since 2021 in an attempt to destabilize the nation.
Then last week, ESET took the wraps off a campaign dubbed Operation RoundPress that it said has been ongoing since 2023 by exploiting cross-site scripting (XSS) vulnerabilities in various webmail services like Roundcube, Horde, MDaemon, and Zimbra to single out governmental entities and defense companies in Eastern Europe, as well as governments in Africa, Europe, and South America.
According to the latest advisory, cyber attacks orchestrated by APT28 are said to have involved a combination of password spraying, spear-phishing, and modifying Microsoft Exchange mailbox permissions for espionage purposes.
The primary targets of the campaign include organizations within NATO member states and Ukraine spanning defense, transportation, maritime, air traffic management, and IT services verticals. No less than dozens of entities in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States are estimated to have been targeted.
Initial access to targeted networks is said to have been facilitated by leveraging seven different methods –
- Brute-force attacks to guess credentials
- Spear-phishing attacks to harvest credentials using fake login pages impersonating government agencies and Western cloud email providers that were hosted on free third-party services or compromised SOHO devices
- Spear-phishing attacks to deliver malware
- Exploitation of Outlook NTLM vulnerability (CVE-2023-23397)
- Exploitation of Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
- Exploitation of internet-facing infrastructure such as corporate VPNs using public vulnerabilities and SQL injection
- Exploitation of WinRAR vulnerability (CVE-2023-38831)
Once the Unit 26165 actors gain foothold using one of the above methods, the attacks proceed to the post-exploitation phase, which involves conducting reconnaissance to identify additional targets in key positions, individuals responsible for coordinating transport, and other companies cooperating with the victim entity.
The attackers have also been observed using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP) for lateral movement, as well as Certipy and ADExplorer.exe to exfiltrate information from the Active Directory.
“The actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection,” the agencies pointed out. “The actors used manipulation of mailbox permissions to establish sustained email collection at compromised logistics entities.”
Another notable trait of the intrusions is the use of malware families like HeadLace and MASEPIE, to establish persistence on compromised hosts and harvest sensitive information. There is no evidence that malware variants like OCEANMAP and STEELHOOK have been used to directly target logistics or IT sectors.
During data exfiltration, the threat actors have relied on different methods based on the victim environment, often utilizing PowerShell commands to create ZIP archives to upload the collected data to their own infrastructure, or employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to siphon information from email servers.
“As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, Unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid,” the agencies said. “These actors have also targeted internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.”
The disclosure comes as Cato Networks revealed that suspected Russian threat actors are leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fake reCAPTCHA pages that make use of ClickFix-style lures to trick users into downloading Lumma Stealer.
“The recent campaign leveraging Tigris Object Storage, OCI Object Storage, and Scaleway Object Storage builds upon earlier methods, introducing new delivery mechanisms aimed at evading detection and targeting technically proficient users,” researchers Guile Domingo, Guy Waizel, and Tomer Agayev said.
