UK and Allies Expose Russian Intelligence Campaign Targeting Western Logistics and Technology Organisations

The UK’s National Cyber Security Centre (NCSC), in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and cyber authorities from eight other countries, including France and Germany, has exposed a Russian military intelligence (GRU Unit 26165, aka APT28) cyber campaign targeting organizations supporting Ukraine.

Active since at least January 2022, the campaign focuses on logistics, defense, and technology entities involved in coordinating and delivering foreign aid to Ukraine, including air, sea, and rail transport.

As CISA describes the attackers employed spear-phishing, credential harvesting, and exploitation of Microsoft Exchange Server vulnerabilities (e.g., CVE-2021-26855) to gain persistent access to networks. Tactics include using compromised accounts for privilege escalation, lateral movement, and data exfiltration, often via cloud-based services to obscure activities.

Specific methods include NTLM hash capture, Kerberos ticket attacks, and deploying remote access tools like AnyDesk. The advisory highlights risks to critical infrastructure and urges organizations to implement multifactor authentication, patch vulnerabilities, and monitor for suspicious activity. This exposure supports broader UK and US efforts, including sanctions, to counter Russian interference in Ukraine aid.

The Russian Cybersecurity Threat

Russian cyber threats extend beyond the APT28 campaign targeting Ukraine aid logistics. Here’s a concise overview of other significant Russian cyber activities, based on recent intelligence and advisories:

• SolarWinds Breach (2020): Attributed to Russia’s SVR (Midnight Blizzard), this espionage campaign compromised multiple U.S. government agencies and private sector entities by exploiting a software supply chain vulnerability. It involved data theft and persistent network access, showcasing Russia’s advanced capabilities in cyber espionage.
• NotPetya Attack (2017): Linked to Russian military hackers, this destructive malware, disguised as ransomware, targeted Ukrainian infrastructure but caused global damage estimated at $10 billion. It disrupted critical systems, including the UK’s National Health Service, highlighting Russia’s use of indiscriminate cyberattacks.
• Viasat Attack (2022): Hours before Russia’s invasion of Ukraine, GRU-linked actors targeted Viasat’s satellite communications, disrupting Ukrainian networks and affecting European wind farms and internet users. This demonstrated Russia’s intent to degrade critical infrastructure during conflicts.
• DDoS and Wiper Malware Campaigns: Since the 2022 Ukraine invasion, Russian state-sponsored groups and aligned cybercriminals (e.g., Killnet, XakNet) have conducted DDoS attacks and deployed wiper malware against Ukrainian government, financial, and energy sectors, aiming to disrupt operations and public access to information.
• Disinformation and Hacktivism: Russian actors, including state-backed groups and “patriotic hackers,” spread disinformation and conduct hacktivist operations, such as DDoS attacks on NATO countries’ critical infrastructure (e.g., Czech banks, Italian government websites). These often align with geopolitical goals, like undermining support for Ukraine.
• Critical Infrastructure Targeting: Russian cyberattacks have historically targeted power grids (e.g., 2015 BlackEnergy and 2016 Industroyer attacks in Ukraine) and continue to threaten Western infrastructure, including energy, telecom, and IoT devices, with potential for physical disruption.
• Cybercrime Ecosystem: The Russian-speaking cybercriminal underground, often state-tolerated, pioneers advanced techniques like ransomware-as-a-service (e.g., Conti, LockBit) and integrates cybercrime with physical crime, offering services like “violence-as-a-service” and psychological operations.
• Mitigation Recommendations: Organizations should prioritize multifactor authentication, patch known vulnerabilities (e.g., Microsoft Exchange CVEs), segment networks, and monitor for phishing and credential theft. Enhanced threat intelligence and international cooperation are critical to counter Russia’s sophisticated, evolving cyber ecosystem.

These threats reflect Russia’s strategic use of cyber operations for espionage, disruption, and influence, often leveraging proxies for plausible deniability.