Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms

A notorious Russian hacking unit was blamed on Wednesday for conducting a widespread campaign that officials say “presents a serious risk” to the targeted organizations and sectors in more than a dozen countries.

In a joint cybersecurity advisory co-sealed by what appears to be a record number of allied countries (11) and intelligence agencies (21), the hacking group widely known as Fancy Bear, BlueDelta and APT28 was accused of being behind attempted digital break-ins at multiple Western logistics providers and technology firms.

“Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign within NATO member states, within Ukraine, and at international organisations, according to the advisory.

Alongside the “espionage-oriented campaign” the hackers are also believed to have accessed legitimate municipal traffic cams as well as “private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine.”

The hackers also “conducted reconnaissance on at least one entity involved in the production of industrial control system components for railway management, though a successful compromise was not confirmed,” warned the advisory.

The intelligence agencies formally attributed the attacks to the “85th Main Special Service Center (85th GTsSS), military unit 26165” of Russia’s military intelligence agency, the GRU, and acknowledged the hacking unit’s campaigns were tracked under a number of names, including Fancy Bear and APT 28.

Although the campaign did not utilize any novel techniques — with the hackers described as gaining initial access to their victims’ networks by “using a mix of previously disclosed techniques, including credential guessing, spear-phishing and exploitation of Microsoft Exchange mailbox permissions” — the widespread nature of the campaign has prompted the advisory encouraging potential victims to shore up their defenses.

Paul Chichester, the director of operations at Britain’s National Cyber Security Centre (NCSC) said: “This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine.

“The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks,” added Chichester.

The NCSC said that both executives at technology and logistics companies, as well as network defenders, needed to recognise the elevated threat of targeting “and take immediate action to protect themselves.”

Agencies from the U.K., U.S., Germany, France, Canada, Czechia, Poland, Australia, Estonia, Denmark and the Netherlands co-signed the advisory.