State-sponsored hackers from the Russian military intelligence service GRU have been carrying out cyberattacks on armed forces, departments, and companies in Western countries since 2022. The main objective was to disrupt aid efforts to Ukraine.
The Russian secret service targeted airports, the defense and logistics industry, the maritime sector, trains, IT companies, and air traffic control. In addition, they hacked security cameras at key locations, such as the Ukrainian border, military installations, and rail stations, to see what kind of aid was being delivered to Ukraine.
A joint cybersecurity advisory (CSA) by the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) claims that APT28, a well-known state-sponsored cyber threat from Russia, is responsible for these attacks.
APT28, also known as Fancy Bear, Forest Blizzard, BlueDelta, unit 26165, and a variety of other identifiers, has been carrying out cyber operations against Western countries since February 2022 for purposes of espionage, destruction, and influence. More recently, members of APT28 have tried to rattle aid operations to Ukraine.
Targeted organizations are located in Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States.
To gain initial access to targeted entities, APT28 uses techniques like credential guessing, brute force attacks, spearphishing attacks, and exploiting common vulnerabilities and exposures (CVEs). To hide the origin of their attacks, APT28 routed their communication through compromised small office/home office devices that were in proximity to the target.
For lateral movement, native commands and open-source tools were used, like PsExec, Impacket, Remote Desktop Protocol, Certipy, and ADExplorer, to exfiltrate Active Directory information. APT28 also located and exfiltrated lists of Office 365 users to collect email addresses.
By making APT28’s tactics, techniques, and procedures (TTPs) public, intelligence agencies hope to disrupt the cyber threat’s operations.
“APT28 wants to obtain military, diplomatic, and economic information about Ukraine and NATO allies. This GRU unit tries to gain insight into the transport of Western military aid through its operations, both inside and outside Ukraine. That is why countries such as the Netherlands, which are part of the supply route, are the target of these cyber operations,” says Peter Reesink, Director of the Military Intelligence and Security Service (MIVD) in the Netherlands.
Your email address will not be published. Required fields are markedmarked