Russian Threat Actors Target Email and VPN Vulnerabilities to Conduct Espionage on Ukrainian Aid Operations

Russian cyber threat actors have been attributed to a state-sponsored initiative targeting Western logistics entities and technology firms since 2022. This campaign is assessed to be conducted by APT28 (also known as BlueDelta, Fancy Bear, or Forest Blizzard), which is associated with the Russian General Staff Main Intelligence Directorate (GRU) and specifically linked to the 85th Main Special Service Center, Military Unit 26165.

The targets of this cyber offensive include companies responsible for arranging transport and distributing foreign assistance to Ukraine, as highlighted in a joint advisory issued by various governmental agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States.

The advisory states, “This cyber espionage-oriented campaign aimed at logistics entities and technology companies employs a combination of previously identified tactics, techniques, and procedures (TTPs). This is likely tied to these actors’ extensive targeting of IP cameras situated in Ukraine and neighboring NATO countries.”

This alert follows France’s foreign ministry accusing APT28 of executing cyber assaults on multiple entities such as government ministries, defense contractors, research institutions, and think tanks since 2021, with the intention of destabilizing the nation. Recently, ESET unveiled a campaign dubbed Operation RoundPress, ongoing since 2023, which exploits cross-site scripting (XSS) vulnerabilities in webmail services including Roundcube, Horde, MDaemon, and Zimbra. This particular effort has been focused on governmental entities and defense contractors in Eastern Europe, as well as various governments across Africa, Europe, and South America.

According to the latest advisory, the cyber attacks conducted by APT28 feature a mixture of password spraying, spear-phishing, and alterations of Microsoft Exchange mailbox permissions for espionage. Key targets encompass organizations located in NATO member states and Ukraine that operate within the defense, transportation, maritime, air traffic management, and IT services sectors. It is estimated that dozens of entities across Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States have been affected.

Initial access to the targeted networks has reportedly been accomplished using seven distinct methods:

– Brute-force attacks to uncover user credentials.
– Spear-phishing strategies designed to collect credentials through fake login pages impersonating governments and Western cloud email providers hosted on compromised third-party services or SOHO devices.
– Spear-phishing designed to deliver malware.
– Exploitation of an Outlook NTLM vulnerability (CVE-2023-23397).
– Use of vulnerabilities found in Roundcube (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).
– Exploitation of organizations’ internet-facing infrastructure, including corporate VPNs, via public vulnerabilities and SQL injection.
– Utilizing the WinRAR vulnerability (CVE-2023-38831).

Once the Unit 26165 actors establish a foothold, they proceed to the post-exploitation stage, which entails reconnaissance to identify additional high-value targets, such as key individuals responsible for transport and cooperation with the victim organization.

The attackers are known to deploy tools like Impacket, PsExec, and Remote Desktop Protocol (RDP) for lateral movement, in addition to utilizing Certipy and ADExplorer.exe for data exfiltration from Active Directory environments. The advisory notes, “The actors would seek to exfiltrate lists of Office 365 users and facilitate continuous email collection.” They employed manipulation of mailbox permissions to maintain ongoing access to compromised logistics entities.

The intrusions have seen the use of malware families such as HeadLace and MASEPIE, which enable persistence on compromised systems while harvesting sensitive data. However, there is no evidence that other observed malware variants such as OCEANMAP or STEELHOOK have been directly deployed against logistics or IT sectors.

During the data exfiltration process, the threat actors utilize varied techniques based on the specifics of the targeted environment. They often employ PowerShell commands to compile ZIP archives for uploading harvested data to their infrastructure or utilize Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to extract information from email servers.

As stated in the advisory, “With Russian military forces failing to achieve their strategic objectives and Western countries providing support to bolster Ukraine’s territorial defense, Unit 26165 has broadened its focus toward logistics and technology firms involved in humanitarian aid delivery.” Furthermore, the actors have targeted internet-connected cameras at Ukrainian border crossings to surveil aid shipments.

Recent disclosures also indicate that suspected Russian threat actors are utilizing Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage to host fraudulent reCAPTCHA pages, employing ClickFix-style tactics to deceive users into downloading Lumma Stealer. Researchers from Cato Networks noted that this recent campaign enhances previous strategies, offering new delivery methods designed to evade detection while targeting technologically adept users.