In a high-priority cybersecurity advisory, the U.S. National Security Agency (NSA), alongside allied cyber defense organizations, has detailed an aggressive cyber-espionage campaign orchestrated by Advanced Persistent Threat (APT) 28: also known as Fancy Bear, Forest Blizzard, Blue Delta, or Unit 26165 of the Russian GRU. Active since at least February 2022, the campaign specifically targets Western logistics and technology companies, particularly those connected to Ukraine-related aid and supply chains.
This joint advisory uncovered a sustained and evolving threat landscape where espionage, surveillance, and network compromise are being strategically deployed to gain geopolitical advantage.
Threat Actor Profile: APT28 / GRU Unit 26165
APT28 is a Russian state-sponsored threat actor with a long history of cyber-espionage operations. Linked directly to Russia’s military intelligence agency, this unit plays a central role in intelligence gathering, especially concerning logistics, transportation, and technological infrastructure supporting Ukraine.
Their operations span across multiple NATO nations and allied states, including the United States, Germany, France, the Netherlands, Poland, and Ukraine itself.
Tactics, Techniques, and Procedures (TTPs)
APT28’s campaign is notable for its diverse attack methodology, which includes both well-established and novel TTPs:
Credential-Based Attacks
- Password spraying against cloud-based and on-prem accounts
- Phishing campaigns leveraging fake login pages and malware-delivering links
Exploitation of Microsoft Exchange
- Manipulation of mailbox permissions to maintain covert access
Network Movement and Surveillance
- After breaching the network, APT28 conducted lateral movement to access sensitive logistics data, including shipment routes, cargo contents, and sender/receiver details.
Use of IP Cameras for Surveillance:
- Gained unauthorized access to Real-Time Streaming Protocol (RTSP) servers and IP cameras across Ukraine and neighboring countries
- Monitored military supply routes using both private and municipal surveillance infrastructure
Targeted Sectors
Entities impacted or at elevated risk include:
- Commercial logistics firms
- Transportation services
- Technology companies supporting aid delivery
- Government and military contractors
- Critical infrastructure operators in Europe and the U.S.
APT28’s operations are reportedly part of Russia’s broader digital strategy to monitor and potentially disrupt Western military and humanitarian support to Ukraine.
Defense Recommendations for Cybersecurity Teams
The joint advisory offers clear mitigation strategies to help organizations enhance their defensive posture:
1. Network Segmentation & Zero Trust
- Implement segmented networks and design architectures with zero trust principles to limit lateral movement and minimize exposure.
2. Identity and Access Management (IAM)
- Refine and continuously monitor digital identity processes, enforce least privilege access, and enable MFA across all critical systems.
3. Enhanced Logging and Monitoring
- Collect and analyze Windows event logs, especially for unexpected log clearing
- Enable robust threat hunting for known IOCs and APT28-specific behaviors
4. SOHO Device Hardening
- Patch SOHO devices and apply firmware updates regularly
- Disable remote access features and apply IP allowlists on IP cameras and other edge devices
5. Organizational Awareness & Executive Engagement
- Executives and CISOs must acknowledge the heightened geopolitical risks and ensure cybersecurity operations are aligned with potential state-sponsored threats.
