Western Logistics and Technology Firms Targeted by APT28.

Dozens of Western logistics and technology companies involved in delivering aid to Ukraine have faced targeted cyber-espionage attacks attributed to a Russian state-backed threat actor over the past two years, as confirmed by allied security agencies.

These unnamed firms operate in sectors critical to national security, including defense, IT services, maritime operations, airports, ports, and air traffic management, across the United States and Europe.

The hacking group in question, APT28 (also known as Fancy Bear, Pawn Storm, Sednit, Sofacy, and Iron Twilight), is a sophisticated cyber-espionage unit linked to the GRU’s military intelligence unit 26165. It has a well-documented history of cyber-espionage activities, demonstrating advanced capabilities in reconnaissance and intrusion.

Security reports indicate that APT28 conducted reconnaissance on at least one organization engaged in producing critical components for industrial control systems (ICS) related to railway management; however, it has not been confirmed whether these attempts led to a successful breach.

Notable tactics, techniques, and procedures employed by the group during these assaults include:

– Credential guessing and brute force attacks
– Spear phishing aimed at stealing credentials
– Spear phishing campaigns designed to deliver malware
– Exploiting Outlook NTLM vulnerability (CVE-2023-23397)
– Targeting Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
– Compromising internet-facing infrastructure, including corporate VPNs, using public vulnerabilities and SQL injection methods
– Exploiting WinRAR vulnerability (CVE-2023-38831)

In light of these developments, the UK’s National Cyber Security Centre advised technology and logistics executives and network defenders to recognize the significant threat posed by such cyber-espionage operations. Recommended actions include enhancing monitoring capabilities, implementing multi-factor authentication with robust factors such as passkeys, and ensuring timely application of security updates to mitigate vulnerabilities.

Targeting of Surveillance Cameras

APT28 has also concentrated efforts over the last two years on compromising private IP cameras and municipal traffic cameras located near Ukraine’s borders, military facilities, and rail stations. This strategy aims to monitor the movement of goods across the war-affected region.

According to security advisories, APT28 began targeting Real Time Streaming Protocol (RTSP) servers responsible for IP camera operations primarily situated in Ukraine as early as March 2022. This large-scale campaign involved attempts to enumerate devices and gain access to camera feeds, impacting over 10,000 devices across Ukraine and surrounding countries including Hungary, Romania, Slovakia, and Poland.

The tactic of targeting IP cameras for intelligence-gathering purposes signals an interest typically associated with state-sponsored threats, as noted by experts. This access can provide critical insights into the logistics of goods being transported, including timing and volume, which can facilitate more precise targeting in military operations.

This pattern reflects a deeply ingrained strategy among state-sponsored adversaries, whereby the capacity to monitor and collect intelligence on supply chains and movements is critical to inform broader operational objectives.