A joint cybersecurity advisory from 21 agencies across multiple countries has confirmed that APT28, a Russian state-sponsored threat group, has been conducting an ongoing cyberespionage campaign since 2022. The group has targeted aid logistics into Ukraine and compromised organizations in the defense, transportation, IT services, air traffic, and maritime sectors.
Known publicly as Fancy Bear or Forest Blizzard, APT28 is linked to the Russian GRU’s 85th GTsSS, military unit 26165.
Attack Spanned 12 European Nations and the U.S.
The campaign targeted organizations in the United States, Ukraine, and 12 European countries:
Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, and the UK.
The hackers tracked material shipments to Ukraine and attempted to disrupt or delay logistical support. One key method involved hacking into internet-connected cameras located at border crossings, rail stations, and military installations.
“These incidents could be precursors to other serious actions,”
— John Hultquist, Google Threat Intelligence Group
Espionage Tools and Attack Vectors Used
APT28 used a combination of techniques to gain access, move laterally, and maintain persistence:
- Initial Access
- Credential guessing and brute force attacks
- Spear phishing to steal credentials or deliver malware
- Exploiting known vulnerabilities, including:
- Outlook NTLM vulnerability (CVE-2023-23397)
- Roundcube email flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
- WinRAR vulnerability (CVE-2023-38831)
- SQL injection and VPN exploits
- Stealth Techniques
- Communication routed through compromised home office devices near victims
- Use of living-off-the-land binaries and native tools for lateral movement
- Tools included PsExec, Impacket, RDP, Certipy, and ADExplorer
- Persistence and Data Exfiltration
- Exfiltrated Active Directory data, Office 365 user lists, and email accounts
- Enrolled compromised accounts in multi-factor authentication (MFA) to maintain access
- Targeted sensitive data like cargo details, travel routes, registration numbers, and destination info
Over 10,000 Surveillance Cameras Compromised
APT28 also targeted over 10,000 connected cameras, 80% of which were located in Ukraine. Nearly 1,000 were in Romania. These cameras helped monitor the movement of military and aid shipments.
“Anyone involved in sending material aid to Ukraine should consider themselves targeted,”
— John Hultquist, Google Threat Intelligence Group
Malware and Infrastructure Tactics
The threat group deployed Headlace and Masepie backdoors and tailored its data exfiltration methods to suit each victim’s environment. It blended malicious activity into trusted protocols and local infrastructure, sometimes delaying operations to avoid detection.
Advisory Shares Defensive Measures and Indicators
The joint advisory includes:
- Indicators of compromise (IOCs)
- Scripts and utilities used
- Known IPs and malicious archive filenames
- Email providers used by APT28
- Details on Outlook and webmail exploitation
The advisory serves as a detailed technical blueprint for organizations to identify, detect, and defend against APT28’s methods.
