Russia-Backed Cyber Espionage Targets Western Logistics and Tech Firms

A coordinated international cybersecurity advisory has identified a long-running cyber-espionage campaign attributed to Russian state-sponsored actors. Since 2022, these campaigns have targeted logistics and technology companies—particularly those involved in supporting Ukraine amid ongoing conflict.

The responsible group is APT28, also known as Fancy Bear, BlueDelta, or Forest Blizzard. This advanced persistent threat (APT) group is tied to Russia’s GRU Military Intelligence, specifically the 85th Main Special Service Center, Military Unit 26165.

Geopolitical Context and Motivations

The campaign aligns with broader Russian efforts to disrupt support for Ukraine. Victims include firms coordinating, transporting, or delivering foreign aid to Ukraine. A joint advisory was released by intelligence and cybersecurity agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States, highlighting the international scale of concern.

APT28’s cyber activities support military operations by targeting infrastructure and supply chains critical to Ukraine and NATO nations.

Attack Methods and Tools

APT28 has employed a range of sophisticated tactics, techniques, and procedures (TTPs) to infiltrate networks and exfiltrate sensitive data.

Initial Access Techniques

According to the advisory, APT28 uses seven main vectors to gain unauthorized access:

1. Brute-force attacks to guess passwords

2. Spear-phishing with fake login pages mimicking government or cloud providers

3. Spear-phishing with malware payloads

4. Outlook NTLM vulnerability exploitation – CVE-2023-23397

5. Roundcube webmail vulnerabilities – CVE-2020-12641, CVE-2020-35730, CVE-2021-44026

6. Public-facing infrastructure exploitation, including SQL injection and VPN flaws

7. WinRAR vulnerability abuse – CVE-2023-38831

Post-Exploitation Behavior

Once inside the target network, APT28 focuses on espionage and long-term data collection. Post-exploitation activities include:

• Reconnaissance of internal systems and personnel

• Lateral movement using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP)

• Credential harvesting via Certipy and ADExplorer.exe

• Persistent access through the manipulation of Microsoft Exchange mailbox permissions

• Target identification, including transport coordinators and logistics partners

Their end goal is to locate sensitive communications and maintain ongoing access, particularly by exfiltrating Office 365 user lists and setting up automated email collection.

Malware Families Used

APT28 leverages custom malware for persistence and data theft:

• HeadLace and MASEPIE: Used to harvest sensitive files and establish backdoor access

• OCEANMAP and STEELHOOK: While notable, these were not used in this particular campaign

Data exfiltration is conducted via:

• PowerShell scripts to compress data into ZIP files

• Exchange Web Services (EWS) and IMAP to extract email data

Recent Campaigns and Additional Insights

APT28’s activity has expanded beyond Ukraine and NATO, targeting governments in Africa, Europe, and South America through vulnerabilities in email platforms like Roundcube, Horde, MDaemon, and Zimbra—a campaign dubbed Operation RoundPress by cybersecurity firm ESET.

In a related revelation, France’s foreign ministry recently accused APT28 of targeting over a dozen French entities since 2021, including defense contractors, ministries, and think tanks, as part of a destabilization effort.

Abuse of Cloud Infrastructure

Researchers from Cato Networks also reported that Russian-aligned actors are abusing cloud storage services like:

• Tigris Object Storage

• Oracle Cloud Infrastructure (OCI)

• Scaleway Object Storage

These platforms are used to host fake reCAPTCHA pages that deliver malware like Lumma Stealer—a tactic designed to trick even technically savvy users by mimicking legitimate services (known as ClickFix-style lures).

Who Is at Risk?

Entities operating in the following sectors are considered high-risk:

• Defense contractors

• Transportation and logistics providers

• Air traffic management

• Maritime coordination

• IT service providers

Organizations across NATO member states and Ukraine, including those in Bulgaria, France, Germany, Poland, the U.S., and others, have been specifically targeted.

How to Protect Your Organization

To mitigate risks posed by APT28 and similar groups:

• Patch known vulnerabilities immediately (especially CVEs mentioned)

• Enforce strong password policies and enable multi-factor authentication (MFA)

• Monitor email permissions and mailbox rules in Microsoft Exchange and Office 365

• Restrict access to critical infrastructure, especially externally facing services

• Train employees to recognize phishing emails and social engineering attempts

• Use endpoint detection and response (EDR) tools to identify lateral movement

Final Thoughts

APT28’s targeting of Western logistics and tech companies highlights the convergence of cyber and kinetic warfare. As global conflicts extend into cyberspace, the ability to safeguard digital infrastructure supporting humanitarian and defense efforts is not just a technical challenge—but a national security imperative.