Full Report
Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022. The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.
Analysis Summary
# Threat Actor: APT28 (BlueDelta, Fancy Bear, Forest Blizzard)
## Attribution & Identity
Attributed to a state-sponsored campaign orchestrated by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.
## Activity Summary
* Targeting Western logistics entities and technology companies since 2022, with a focus on organizations involved in coordinating, transporting, and delivering foreign assistance to Ukraine.
* Linked to a cyber espionage-oriented campaign that shares TTPs with broader targeting of IP cameras in Ukraine and bordering NATO nations.
* Accused by France of a campaign since 2021 targeting ministries, defense firms, research entities, and think tanks.
* Associated with **Operation RoundPress** (ongoing since 2023), exploiting XSS vulnerabilities in webmail services (Roundcube, Horde, MDaemon, Zimbra) targeting governmental entities, defense companies in Eastern Europe, and governments in Africa, Europe, and South America.
* Observed targeting internet-connected cameras at Ukrainian border crossings to monitor aid shipments.
## Tactics, Techniques & Procedures
- **Initial Access:**
- Brute-force attacks to guess credentials.
- Spear-phishing attacks using fake login pages (impersonating government agencies/cloud providers) hosted on free or compromised SOHO devices to harvest credentials.
- Spear-phishing attacks to deliver malware.
- Exploitation of Microsoft Outlook NTLM vulnerability ([CVE-2023-23397](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23397)).
- Exploitation of Roundcube vulnerabilities ([CVE-2020-12641](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12641), [CVE-2020-35730](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35730), [CVE-2021-44026](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44026)).
- Exploitation of internet-facing infrastructure (VPNs) using public vulnerabilities and SQL injection.
- Exploitation of WinRAR vulnerability ([CVE-2023-38831](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38831)).
- **Post-Exploitation & Lateral Movement:**
- Password spraying and spear-phishing.
- Modifying Microsoft Exchange mailbox permissions for sustained espionage access.
- Using Impacket, PsExec, and Remote Desktop Protocol (RDP).
- Using Certipy and ADExplorer.exe to exfiltrate Active Directory information.
- **Exfiltration:**
- Locating and exfiltrating lists of Office 365 users and setting up sustained email collection.
- Utilizing PowerShell commands to create ZIP archives for upload.
- Employing Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) for email harvesting.
## Targeting
- Sectors: Logistics, Technology Companies, Defense Firms, Research Entities, Think Tanks, Transportation, Maritime, Air Traffic Management, IT Services, Ministries.
- Geography: Western entities, NATO member states, Ukraine, Eastern Europe, Africa, South America.
- Victims: Dozens of entities across Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States.
## Tools & Infrastructure
- Malware families used: HeadLace, MASEPIE.
- Other tools: Impacket, PsExec, RDP, Certipy, ADExplorer.exe.
- Infrastructure context (separate campaign mentioned): Leveraging Tigris Object Storage, Oracle Cloud Infrastructure (OCI) Object Storage, and Scaleway Object Storage for hosting fake reCAPTCHA pages (ClickFix lures).
## Implications
This actor is highly persistent and strategically motivated, linking its cyber espionage directly to geopolitical conflicts (aid for Ukraine). The breadth of initial access techniques indicates a high level of operational security and resource allocation, enabling deep penetration across critical infrastructure sectors in NATO nations. The focus on mail access modification suggests long-term intelligence gathering objectives.
## Mitigations
- Harden initial access vectors by enforcing strong multi-factor authentication (MFA) across all services, especially email and VPNs.
- Patch and monitor for exploitation of listed vulnerabilities (CVE-2023-23397, Roundcube CVEs, CVE-2023-38831).
- Review and audit Microsoft Exchange mailbox permissions regularly, specifically looking for unauthorized access or changes made by external or service accounts.
- Monitor for the use of known tools like Impacket and PsExec, and suspicious lateral movement activity utilizing RDP.
- Implement security training focusing on spear-phishing and credential harvesting attempts disguised as legitimate login pages.