As Russia continues its relentless assaults on Ukraine despite in defiance of continuing efforts to work towards a peace deal, multiple western security agencies have issued a new advisory warning of a Moscow-backed campaign of cyber intrusions targeting logistics and technology organisations in the west.
The campaign, run through Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), better known as Fancy Bear, includes credential guessing, spear-phishing attacks, exploitation Microsoft Exchange and Roundcube vulnerabilities, and flaws in public-facing infrastructure including VPNs.
This pattern of activity likely dates back to the early days of the war in February 2022 – at which point Fancy Bear was more heavily involved in cyber operations for purposes of espionage. However, as Russia failed to achieve its military objectives as quickly as it had wanted, the group expanded its targeting to include entities involved in the delivery of support and aid to Ukraine’s defence. Over the past three years its victims have included organisations involved in air traffic control, airports, defence, IT services, maritime and port systems sectors across various Nato countries.
The advanced persistent threat (APT) actor is also understood to be targeting internet-connected cameras at Ukraine’s border crossings and around its military bases. These intrusions mostly took place in Ukraine but have also been observed in neighbouring states including Hungary, Poland, Romania and Slovakia.
The GCHQ-run National Cyber Security Centre (NCSC) urged UK organisations to familiarise themselves with Unit 26165’s tactics and take action to safeguard themselves.
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, NCSC Director of Operations.
“The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
The NCSC’s latest warning comes a couple of weeks after the cyber body’s CEO, Richard Horne, talked of a “direct connection” between Russian cyber attacks and physical threats to the UK at its annual conference.
Horne told an audience at the CyberUK event that Russia was focusing on acts of sabotage, often involving criminal proxies. He said these threats, which are thought to have included arson attacks, are now manifesting on the streets of the UK, “putting lives, critical services and national security” at risk.
Staple tactic
Rafe Pilling, director of threat intelligence at the Sophos (formerly Secureworks) Counter Threat Unit (CTU) – which tracks Fancy Bear as Iron Twilight – said that the group’s targeting of spear-phishing and vulnerability exploitation to gain access to target mailboxes had been a staple tactic for some time.
“The focus of their operations pivots as the intelligence collection of the Russian military change and since 2022 Ukraine has been a significant focus of their attention. The targeting of Nato and Ukranian defense and logistics companies involved in the support of the Ukrainian war effort makes a lot of sense in that context,” Pilling told Computer Weekly.
“The targeting of IP cameras for intelligence collection purposes is interesting and is a tactic generally associated with state-sponsored adversaries like Iron Twilight where they anticipate a physical effects aspect to their operations. As an intelligence provider to the Russian military this access would assist in the understanding of what goods were being transported, when, in what volumes and support kinetic targeting.
“We’ve seen other APT actors make use of compromised CCTV feeds to monitor the effects of cyber-physical attacks, for example the 2022 attacks against steel mills in Iran where video from the CCTV feed was used to time the execution of the attack in an attempt to avoid harm to people at the site and confirm the damage being caused,” he added.
The NCSC said Britain’s support for Ukraine remained “steadfast”. Having already committed £13bn in military aid, the UK this week announced 100 new sanctions on Russia targeting entities and organisations involved in its energy, financial and military systems.
This comes in the wake of the largest drone attack on Ukraine staged so far during the three-year war, which Russian dictator Vladimir Putin launched mere hours before a scheduled call with US president Donald Trump.
The full advisory – which can be read here – sets out Fancy Bear’s tactics, techniques and procedures (TTPs) in its latest campaign in accordance with the Mitre ATT&CK framework, and also details a number of the common vulnerabilities and exposures (CVEs) being used to attain initial access.
Besides the UK and US, the advisory is cosigned by cyber and national security agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands and Poland.
