Full Report
NSA, NCSC and allies warn Western tech and logistics firms of Russian APT28 cyber-espionage threat
Analysis Summary
# Threat Actor: APT28 (Fancy Bear, Pawn Storm, Sednit, Sofacy, Iron Twilight)
## Attribution & Identity
The threat actor is identified as **APT28**, a Russian state-backed cyber-espionage group believed to hail from the **GRU’s military unit 26165**.
**Known Aliases/Associations:** Fancy Bear, Pawn Storm, Sednit, Sofacy, Iron Twilight.
## Activity Summary
Dozens of Western logistics and technology firms have been targeted over the past two years in a cyber-espionage campaign. These companies are involved in delivering aid to Ukraine. The group also conducted reconnaissance on at least one entity involved in the production of Industrial Control System (ICS) components for railway management, although a successful compromise was not confirmed for this target.
## Tactics, Techniques & Procedures
- Credential guessing/brute force.
- Spear phishing for credentials.
- Spear phishing delivering malware.
- Exploitation of the Outlook NTLM vulnerability (**CVE-2023-23397**).
- Exploitation of Roundcube vulnerabilities (**CVE-2020-12641**, **CVE-2020-35730**, **CVE-2021-44026**).
- Exploitation of internet-facing infrastructure, including corporate VPNs, via phishing (the specific mechanism seems related to exploiting/chaining vulnerabilities upon access, possibly via Pu - the sentence was truncated).
## Targeting
- **Sectors:** Logistics, Technology, Defense, IT services, maritime, airports, ports, and air traffic management systems. Also reconnaissance against Industrial Control System (ICS) component production for railway management.
- **Geography:** US and European countries.
- **Victims:** Unnamed Western logistics and tech firms delivering aid to Ukraine.
## Tools & Infrastructure
- **Malware families used:** Not explicitly listed in the provided text snippet, only TTPs related to initial compromise are detailed.
- **Infrastructure (C2, domains, IPs):** Not detailed or defanged in the provided text snippet.
## Implications
APT28 continues to actively target organizations supporting Ukraine, specifically focusing on the supply chain (logistics and tech) critical to aid efforts. The targeting of ICS component producers suggests a potential interest in disrupting key infrastructure beyond direct logistics services. The consistent use of high-profile known vulnerabilities (like CVE-2023-23397) indicates active exploitation campaigns against unpatched environments.
## Mitigations
- Implement rigorous security for corporate VPNs and internet-facing infrastructure.
- Patch and mitigate vulnerabilities in internet-facing services, specifically Roundcube and the Outlook NTLM vulnerability (CVE-2023-23397).
- Enhance defenses against sophisticated spear phishing campaigns aimed at harvesting credentials.
- Implement protective measures against credential guessing/brute force attacks.