Russian cyber threat actors have been linked to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. This activity, attributed to APT28 (also known as BlueDelta, Fancy Bear, or Forest Blizzard), is connected to the Russian General Staff Main Intelligence Directorate (GRU) and its Military Unit 26165. The targets predominantly include organizations involved in the coordination and transport of foreign aid to Ukraine, as indicated by a joint advisory from multiple international agencies.

The campaign utilizes a mix of previously documented tactics, techniques, and procedures (TTPs), and is linked to the actors’ broad targeting of IP cameras in Ukraine and neighboring NATO countries. This advisory follows recent accusations from France’s foreign ministry, which claims APT28 has been attacking various entities, including ministries and defense firms, in an effort to destabilize the nation.

ESET recently uncovered an ongoing operation dubbed "Operation RoundPress," which exploits vulnerabilities in various webmail services to target governmental and defense entities across Eastern Europe and other regions. The attacks employ methods such as password spraying, spear-phishing, and modifications to Microsoft Exchange mailbox permissions to facilitate espionage.

Primary targets include organizations in NATO member states and Ukraine, spanning defense, transportation, maritime, air traffic management, and IT services. Affected countries encompass Bulgaria, Germany, Greece, Italy, and more. The campaign is seen as a significant risk to these organizations, especially given their critical roles in delivering assistance to Ukraine, as highlighted by officials from the UK’s National Cyber Security Centre.

The threat actors reportedly gain initial access through various means, including brute-force attacks, spear-phishing with fake login pages impersonating government agencies, and exploiting known vulnerabilities in popular software and services. Once access is secured, reconnaissance is conducted to identify further targets, often leading to the use of tools for lateral movement and information exfiltration.

Notably, the attackers have been seen using malware families like HeadLace and MASEPIE to maintain persistence on compromised systems. During the data exfiltration process, they utilize PowerShell scripts to manage the collected data and leverage other protocols to siphon sensitive information from email servers.

As military forces continue to pursue their objectives in Ukraine, the targeting of logistics entities and technology firms has reportedly intensified, suggesting that these cyber activities represent an ongoing threat in the context of the conflict and the geopolitical landscape surrounding it.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.