Russian APT28 Cyberespionage Campaign Targets Aid Efforts to Ukraine Since 2022, the Russian state-sponsored threat group APT28 (Fancy Bear/Forest Blizzard), linked to the GRU’s 85th GTsSS (military unit 26165), has conducted a sustained cyberespionage campaign against organizations supporting Ukraine. The operation, detailed in a joint advisory from 21 intelligence and cybersecurity agencies across nearly a dozen countries, targeted entities in defense, transportation, IT services, air traffic, and maritime sectors across 12 European nations and the U.S. ### Tactics and Techniques APT28 employed a mix of stealthy intrusion methods, including: - Password spraying and brute-force attacks - Spear-phishing (credential theft and malware delivery) - Exploitation of known vulnerabilities, such as: - CVE-2023-23397 (Outlook NTLM relay) - CVE-2023-38831 (WinRAR) - Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) - SQL injection and VPN exploits against internet-facing infrastructure To evade detection, the group routed communications through compromised small office/home office (SOHO) devices near targets. Once inside networks, they used native tools (PsExec, Impacket, RDP) and open-source utilities (Certipy, ADExplorer) for lateral movement and data exfiltration. ### Surveillance and Data Theft APT28 prioritized compromising accounts with access to aid shipment details, including: - Sender/recipient information - Cargo contents and travel routes - Container registration numbers - Destination data They also enrolled hijacked accounts in multi-factor authentication (MFA) to maintain persistent access. Among the malware used were the Headlace and Masepie backdoors, with data exfiltration methods tailored to each victim’s environment—often leveraging living-off-the-land (LOtL) techniques to avoid detection. ### Monitoring Aid Shipments via Compromised Cameras A key aspect of the campaign involved hacking internet-connected cameras—including those at border crossings, military installations, rail stations, and traffic monitoring points—to track material movements into Ukraine. The advisory notes that over 10,000 cameras were targeted, with 80% in Ukraine and nearly 1,000 in Romania. Google Threat Intelligence analyst John Hultquist warned that the group’s objectives extend beyond surveillance, aiming to disrupt aid efforts through cyber or physical means. The targeting of logistics and transportation networks suggests a broader strategy to undermine Ukraine’s supply chains. ### Impact and Scope The campaign affected organizations in Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the U.S. The advisory provides indicators of compromise (IoCs), including malicious scripts, threat actor-controlled email providers, and IP addresses linked to the attacks. While mitigation guidance was included, the report underscores the persistent and adaptive nature of APT28’s operations.