Full Report
In a joint cybersecurity advisory issued today, U.S. and allied intelligence agencies confirmed what many threat analysts have long suspected: the Russian GRU military intelligence agency is systematically targeting the digital backbone of logistics and transportation providers across Europe and North America. The campaign, detailed in a 25-page report from the NSA, FBI, CISA, and partners from 10 countries, including the U.K., Australia, and Germany, spotlights a coordinated cyber espionage effort by GRU’s Unit 26165—more widely recognized in the threat intel world as APT28, Fancy Bear, or Forest Blizzard. Targets at the center of the campaign were freight operators, rail networks, air traffic systems, and cloud tech vendors—anyone with a role in getting military and humanitarian aid to Ukraine. Targets have included organizations in 14 countries, including IP cameras in Hungary, a Russian ally. Russian GRU Campaign Not Just Malware — Surveillance Too What stands out in the report is the scale and creativity of the GRU’s tactics. The hackers aren’t just hijacking email servers or pushing trojans. They’re hacking into IP cameras, too—10,000 of them, to be exact—mostly around Ukrainian borders, using weak credentials and exposed RTSP services to turn physical surveillance into digital eyes on the ground. [caption id="attachment_102935" align="aligncenter" width="265"] List of countries where IP cameras were targeted. (Source: defense.gov)[/caption] In parallel, GRU operators launched targeted intrusions on shipping and logistics companies, exploiting familiar weaknesses like unpatched Exchange servers, WinRAR bugs (CVE-2023-38831), and Outlook NTLM leaks (CVE-2023-23397). The aim was stealing shipment manifests, routing info, and sensitive business data that could tip off troop or equipment movement. The combination of shipping data theft and compromised video feeds likely gives attackers real-time visibility into what’s moving, where, and when. It’s tactical intelligence collection at enterprise scale. The GRU Malware Stack The HEADLACE backdoor, first reported by IBM X-Force during the Israel-Hamas conflict, was found embedded in malicious shortcut files. Once activated, it initiated headless browser sessions to exfiltrate stolen data, clear logs, and maintain access. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats MASEPIE, a Python-based backdoor, offered remote shell access, file transfers, and command execution capabilities, often disguised as routine background processes. Another tool, STEELHOOK, enabled credential harvesting from browsers like Chrome and Edge by decrypting stored passwords using PowerShell-based techniques. The actors also employed LOLBins—legitimate system tools like ntdsutil, wevtutil, and ADExplorer—to evade detection and live off the land. In one case, GRU hackers gained control of an ICS vendor’s email platform, then pivoted to compromise customers in the railway sector. In another, they used stolen credentials and MFA fatigue techniques to access VPN infrastructure at a shipping company. What the Russian GRU Wants This isn’t a smash-and-grab ransomware operation. It’s long-term surveillance. The kind of campaign that’s designed to persist, quietly gather intelligence, and interfere only when necessary. And while the report doesn't explicitly name any targets by company, the industries hit hardest—logistics, transportation, and defense-adjacent vendors—are the same ones that move military hardware, humanitarian supplies, and critical infrastructure parts into conflict zones. The big concern? These compromised networks could give Russia a battlefield edge—intercepting aid, sabotaging supply lines, or simply watching to see how the West moves. How Companies Should Respond The advisory includes a laundry list of technical mitigations, including: Blocking known C2 infrastructure Hardening VPN and email access Reconfiguring exposed IP cameras Patching known exploited vulnerabilities (especially in Outlook, Exchange, and WinRAR) Monitoring PowerShell use and system tool abuse But there’s also a broader message: if you’re in the logistics or defense supply chain, and especially if you support Ukraine—even indirectly—you’re already a target. Organizations in these sectors should assume compromise and act accordingly, the advisory suggests. The Big Picture Russia’s digital playbook in Ukraine is evolving. While early campaigns relied on headline-grabbing wipers and power grid attacks, the new frontier is far more strategic—and far more subtle. What we’re seeing now is cyberwar as surveillance: fewer fireworks, more cameras. The GRU isn’t just breaking things—it’s watching, learning, and waiting. And for companies moving cargo or manufacturing gear with ties to conflict zones, that means cybersecurity is no longer just a compliance issue. It’s operational security. It’s national security.
Analysis Summary
# Threat Actor: Russian GRU Hackers
## Attribution & Identity
Attributed to the **Russian GRU** (Main Intelligence Directorate). No specific known aliases or associated groups are detailed, but the actor is associated with state-sponsored intelligence operations targeting Western interests related to the conflict in Ukraine.
## Activity Summary
The actor is actively engaged in hacking **IP Cameras and Logistics Firms** to conduct espionage related to **aid deliveries from Western Allies to Ukraine**. The objective is to gain a battlefield edge by intercepting aid information, potentially sabotaging supply lines, or monitoring the movement of military and humanitarian supplies into conflict zones. This activity represents an evolution in Russia's digital playbook, shifting towards subtle surveillance rather than large-scale disruptive attacks.
## Tactics, Techniques & Procedures
- Hacking/Compromising **IP Cameras**.
- Targeting systems within **logistics, transportation, and defense-adjacent vendor** networks.
- Cyberwarfare conducted as **surveillance**.
- Monitoring and learning to anticipate Western movements.
- Exploiting known vulnerabilities (specifically mentioned patching needed for **Outlook, Exchange, and WinRAR**).
- Use of **PowerShell** and **system tool abuse**.
- Targeting **VPN and email access** for initial compromise or persistence.
## Targeting
- Sectors: **Logistics, Transportation, Defense-adjacent vendors, and critical infrastructure support.**
- Geography: Implied targeting of organizations supporting movements *into conflict zones* (related to Ukraine, suggesting global reach for supply chain actors).
- Victims: Organizations moving military hardware, humanitarian supplies, and critical infrastructure parts that support Ukraine. No specific company names are mentioned.
## Tools & Infrastructure
- Malware families used: **Not explicitly detailed.**
- Infrastructure (C2, domains, IPs): **Known C2 infrastructure** needs to be blocked, but specifics are not listed in the summary.
## Implications
The activity signifies a strategic shift by the GRU towards precise, intelligence-gathering operations focused on the **Ukraine conflict supply chain**. This moves cyber activity from general disruption to **operational security and national security** concerns for targeted businesses, as compromised networks could directly impact military/aid movements.
## Mitigations
- Blocking known C2 infrastructure.
- Hardening **VPN and email access**.
- **Reconfiguring exposed IP cameras.**
- Patching known exploited vulnerabilities (especially in **Outlook, Exchange, and WinRAR**).
- Monitoring **PowerShell use and system tool abuse.**
- Organizations in the logistics/defense supply chain supporting Ukraine should **assume compromise** and act accordingly.