Russian Cyber Intrusions Target Organizations to Monitor Humanitarian Aid Channels to Ukraine

A recent cyber espionage campaign linked to the Russian state-sponsored group APT28, also known as Fancy Bear or Forest Blizzard, has been actively targeting and infiltrating international organizations since 2022, with a particular focus on disrupting aid efforts directed toward Ukraine. The operations have extended across the defense, transportation, IT services, air traffic, and maritime sectors in twelve European nations as well as the United States.

The hacking group has utilized sophisticated tactics to monitor the transportation of materials into Ukraine. This has included unauthorized access to private camera feeds installed at strategic locations such as border crossings, military installations, and transport hubs.

A consolidated advisory, issued by twenty-one intelligence and cybersecurity agencies from various countries, elaborates on the techniques and methodologies employed by APT28 during these cyber intrusions.

Tactical Approaches for Covert Infiltration

The report indicates that since 2022, APT28 has employed various tactics including password spraying, spear-phishing attacks, and exploitation of vulnerabilities in Microsoft Exchange. Following the initial compromise of a primary target, the hackers have leveraged relationships with associated organizations in the transportation sector to propagate their access further.

Furthermore, APT28 has breached internet-connected cameras at Ukrainian border checkpoints to surveil aid shipments. The targeted institutions are situated in the United States, Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, and Ukraine.

According to the advisory, initial access was achieved using multiple vectors, including but not limited to:

– Credential guessing or brute-force methods
– Spear-phishing campaigns aimed at credential capture
– Delivering malware via spear-phishing
– Exploiting the Outlook NTLM vulnerability (CVE-2023-23397)
– Leveraging known vulnerabilities in Roundcube open-source webmail software (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
– Exploiting publicly accessible infrastructure, including corporate VPNs, via vulnerabilities and SQL injection
– Utilizing vulnerabilities in WinRAR (CVE-2023-38831)

To maintain operational security, APT28 employed a strategy of routing communications through compromised small office/home office devices positioned near their intended targets.

Once within the victim’s network, the hackers conducted thorough reconnaissance to identify additional potential targets among internal contacts within cybersecurity, transport coordination, and partner organizations.

For lateral movement and data extraction, they utilized native commands and open-source tools—such as PsExec, Impacket, Remote Desktop Protocol, Certipy, and ADExplorer—to exfiltrate Active Directory information. They also collected email addresses of Office 365 users, enrolling compromised accounts in multifactor authentication mechanisms to establish and sustain access.

A critical aspect of their operations involved targeting accounts that had access to sensitive information about aid shipments, which included details on senders and recipients, cargo contents, transportation routes, registration numbers, and endpoints.

Investigators have noted the use of specific malware, such as the Headlace and Masepie backdoors, during these operations. Data exfiltration was conducted using a variety of methods, chosen based on the individual victim’s environment, including both living-off-the-land techniques and malware.

In many instances, the attackers successfully maintained a low profile by relying on infrastructure in close proximity to the victims, utilizing trusted protocols, and selecting timings that minimized detection during exfiltration sessions.

Surveillance of Connected Cameras

A significant component of the espionage efforts includes the monitoring of camera feeds from traffic, military installations, railway stations, and border crossings, aimed at tracking logistical movements into Ukraine.

The advisory from government agencies reveals that over 10,000 cameras were targeted, with more than 80% located within Ukraine, followed by close to a thousand in Romania.

John Hultquist, chief analyst at Google Threat Intelligence Group, stated that while the goal of these operations is to surveil and identify support for battlefield activities, the intention also includes disrupting that support through physical or cyber means. He warns that entities involved in the transportation of aid to Ukraine should regard themselves as potential targets.

The joint cybersecurity advisory provides security recommendations, detection strategies, and indicators of compromise pertinent to the tools employed by the attackers, common email services utilized by the threat actor, malicious archive filenames, IP addresses, and exploitation specifics related to Outlook vulnerabilities.