Russian GRU Targeting Western Logistics Entities and Technology Companies
A joint cybersecurity advisory highlights a Russian state-sponsored cyber campaign targeting logistics entities and technology companies involved in foreign assistance to Ukraine. The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165, has been conducting a cyber espionage-oriented campaign using a mix of previously disclosed tactics, techniques, and procedures (TTPs). The campaign targets technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The actors' TTPs include reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. The campaign is likely connected to the actors' wide-scale targeting of IP cameras in Ukraine and bordering NATO nations. The authors of the advisory expect similar targeting and TTP use to continue. Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting and increase monitoring and threat hunting for known TTPs and indicators of compromise. The campaign has targeted dozens of entities across virtually all transportation modes, including air, sea, and rail, and has targeted entities associated with defense industry, transportation, maritime, air traffic management, and other sectors. The countries with targeted entities include Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The actors have used various techniques to gain initial access to targeted entities, including credential guessing, spearphishing, and exploitation of vulnerabilities.