The US authorities’s cybersecurity company CISA is sounding the alarm over what it calls an “elevated menace” from Russia’s military-intelligence hackers, warning that Unit 26165 (APT28/Fancy Bear) is systematically zeroing in on Western logistics and know-how firms that transfer weapons, help and different provides into Ukraine.
The alert, issued Wednesday alongside US, UK, German and dozens of different allied companies, urges organizations within the logistics house to imagine they’re already within the sights of Russian APTs and to “posture community defenses with a presumption of focusing on.”
In line with technical documentation launched by CISA, the GRU-linked espionage marketing campaign has been underway since early 2022, increasing because the battle with Ukraine intensified.
The company stated delivery brokers, rail operators, port authorities, air-traffic managers, protection contractors and the IT corporations that join them have all been swept up within the operation, with victims logged throughout at the least 13 NATO nations, the US and Ukraine.
“The actors additionally performed reconnaissance on at the least one entity concerned within the manufacturing of business management system (ICS) elements for railway administration, although a profitable compromise was not confirmed,” the company stated.
The CISA joint-advisory describes a Moscow hacker playbook that mixes old-school password-spraying and spear-phishing runs with extra surgical exploits. The group has been seen launching exploits towards Microsoft Outlook’s NTLM bug (CVE-2023-23397) to gather NTLM hashes, and a trio of Roundcube web-mail flaws and final yr’s WinRAR archive bug to interrupt in, then piggybacking on home-office routers and different edge gear to cover its tracks.
As soon as inside, CISA defined that the operators escalate shortly: abusing Trade mailbox permissions to reap e mail at scale, looting Lively Listing with Impacket and PsExec, and dropping customized malware reminiscent of HEADLACE and MASEPIE to keep up persistence and exfiltrate hijacked information.
“After an preliminary compromise utilizing one of many above strategies, Unit 26165 actors performed contact data reconnaissance to establish extra targets in key positions. The actors additionally performed reconnaissance of the cybersecurity division, people liable for coordinating transport, and different firms cooperating with the sufferer entity,” in response to the advisory.Commercial. Scroll to proceed studying.
One precedence goal is delivery manifests, together with practice, airplane and container numbers that CISA notes reveal precisely what’s headed to Ukraine and when. The advisory hyperlinks the community intrusions to a parallel effort that hijacked 1000’s of IP cameras at border crossings and rail yards, giving Russian intelligence a real-time view of help convoys.
The federal government is pushing organizations within the focused sectors to tighten identification controls, deploy MFA (multi-factor authentication) know-how that resists phishing, hunt aggressively for the Outlook, Roundcube and WinRAR exploit chains, and assume any publicly uncovered system generally is a foothold.
“Executives and community defenders at logistics entities and know-how firms ought to acknowledge the elevated menace of Unit 26165 focusing on, improve monitoring and menace looking for identified TTPs and indicators of compromise (IOCs),” the company stated.
Associated: NATO-Flagged Vulnerability Tops Newest VMware Safety Patch Batch
Associated: Russian APT Exploiting Mail Servers In opposition to Gov, Protection Orgs
Associated: France Blames Russia for Cyberattacks on Dozen Entities
Associated: Recent Home windows NTLM Vulnerability Exploited in Assaults
Associated: Russian GRU Unit Tied to Assassinations Linked to International Cyberattacks
