A state-sponsored cyberespionage campaign attributed to Russian hacking group APT28, also known as Fancy Bear or Forest Blizzard, has been targeting international organizations since 2022. This initiative aims to disrupt humanitarian efforts to Ukraine by compromising entities in the defense, transportation, IT services, air traffic, and maritime sectors across 12 European countries and the United States. Reports indicate that the hackers have also been tracking the movement of materials into Ukraine by accessing private camera feeds installed in strategic locations, such as border crossings and military installations.
The extensive joint advisory released by 21 intelligence and cybersecurity agencies highlights the various tactics, techniques, and procedures (TTPs) employed by APT28. Typical intrusion methods have included password spraying, spear-phishing, and exploiting vulnerabilities in Microsoft Exchange. Following the initial breach, the hackers have been reported to target related organizations in the transportation sector, aiming to exploit established trust relationships for further access.
According to the report, APT28 successfully used a variety of techniques to gain initial access, including credential guessing, spear-phishing for credentials, and exploiting known vulnerabilities in certain software. Attack vectors have included compromised internet-facing infrastructure, corporate VPNs, and known exploits such as CVE-2023-23397 for Outlook and several vulnerabilities in the Roundcube webmail software—CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026. Furthermore, the group has relied on infrastructure close to the victim’s network to conceal their communication, enhancing their operational stealth.
Another critical aspect of this cyberespionage campaign has involved the manipulation of connected cameras used for monitoring aid shipments into Ukraine. More than 10,000 cameras have reportedly been targeted, with a majority situated within Ukraine itself. John Hultquist, Chief Analyst at Google Threat Intelligence Group, emphasized that these efforts not only aim to gather intelligence on material support for the conflict but also to potentially disrupt those supply chains through both cyber and physical means. The advisory serves as an essential warning for all stakeholders involved in delivering material aid to Ukraine, underscoring the significance of heightened awareness and security measures in these operations.