Western intelligence agencies uncovered an extensive Russia-backed operation aimed at technology organizations working with the Ukraine defense effort.
The
UK National Cyber Security Centre (NCSC) was part of a group of intelligence agencies that found the Kremlin-backed APT28 hacking group,
aka “Fancy Bear,” working to infiltrate the networks of military groups and private contractors on the front lines of Russia’s ongoing attempt to invade Ukraine.
“Unit 26165 — also known as APT28 — was able to gain initial access to victim networks using a mix of previously disclosed techniques, including credential guessing, spear-phishing and exploitation of Microsoft Exchange mailbox permissions,” the UK intelligence agency said.
“They also targeted internet-connected cameras at Ukrainian border crossings and near military installations to monitor and track aid shipments to Ukraine.”
The attacks not only targeted military entities, but organizations that provide logistics support and IT services to Ukrainian forces fighting against Russian and North Korean opposition. The attacks are believed to be targeting critical infrastructure, including webcams and supply lines.
The report comes amidst a critical time in the Ukraine conflict. With both sides expressing a desire for peace talks, reports of covert intelligence campaigns could throw a wrench into negotiations.
APT28 is supposedly a private hacking outfit with conveniently close ties to the Russian government’s GRU intelligence organization. It is believed that the group is closely affiliated with the Kremlin and acts on direct orders from GRU officials.
In addition to the Brits, the exposure campaign included intelligence agencies from the United States, Germany, Czech Republic, Poland, Australia, Canada, Denmark, Estonia,
France and the Netherlands
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organizations, including those involved in the delivery of assistance to Ukraine,” said NCSC director of operations Phil Chichester.
“We strongly encourage organizations to familiarize themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
For its part, the
NSA said the attacks are nothing new, but still urged organizations to make sure their IT security protections are up to date and protected against common exploits and attack techniques.
“In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence — with unit 26165 predominately involved in espionage,” officials noted in a joint advisory.
“As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid.”
