Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Russian military threat actors are targeting Western logistics and technology companies involved in providing foreign assistance to embattled Ukraine.
The Australian Signals Directorate’s Australian Cyber Security Centre has joined a raft of cyber security agencies, both civilian and military, from around the world to warn of a hacking campaign orchestrated by the Russian General Staff Main Intelligence Directorate, or GRU.
The warning came in a cyber security advisory released overnight by the US Cybersecurity & Infrastructure Security Agency and co-authored by entities from the UK, Germany, the Czech Republic, Poland, the US, Canada, Denmark, Estonia, France, and the Netherlands.
According to the advisory, the GRU’s 85th Main Special Service Center – also known as military unit 26165 and tracked as Fancy Bear among other forms of attribution – is largely targeting logistics and technology firms with a role in the coordination of and transportation of assistance to Ukraine.
“Executives and network defenders at logistics entities and technology companies should recognise the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defences with a presumption of targeting,” CISA said in its May 21 advisory.
“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations.”
Unit 26165 is using a mix of known tactics, techniques, and procedures including spearphishing, modification of mailbox permissions, and password spraying. The campaign has been going for more than two years, with the initial aim of espionage and influence operations. However, as Russia’s military momentum continues to stall, the cyber campaign has expanded to target largely Ukrainian and European entities involved in the delivery of aid to Ukraine.
"Russian military intelligence has an obvious need to track the flow of material into Ukraine, and anyone involved in that process should consider themselves targeted,” John Hultquist, Chief Analyst, Google Threat Intelligence Group.
“Beyond the interest in identifying support to the battlefield, there is an interest in disrupting that support through either physical or cyber means. These incidents could be precursors to other serious actions."
The industries being targeted by the malicious activity are defence, transportation, maritime, air traffic management, and IT services. Once access is gained to a network, the threat actors are looking for any information relating to shipping schedules and manifests, including sender & recipient, points of departure, train/plane/ship numbers, and cargo contents.
As well as going after logistics operations, unit 26156 has more than likely used any network access gained to also access “private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine”.
A full list of Indicators of Compromise and mitigation advice can be found here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
