UK Exposes Russian Cyber Campaign Targeting Support for Ukraine

The UK has exposed a "malicious cyber campaign" targeting multiple organisations, including those involved in delivering foreign assistance to Ukraine. A joint investigation with allies including the US, Germany and France revealed that a Russian military unit had been targeting both public and private organisations since 2022.

These include organisations involved in supplying defence, IT services, and logistics support. The security bodies of 10 Nato countries and Australia said Russian spies had used a combination of hacking techniques to gain access to networks. Some of the targets were internet-connected cameras at Ukrainian borders which monitored aid shipments going into the country.

According to the report, a rough estimate of 10,000 cameras were accessed near "military installations, and rail stations, to track the movement of materials into Ukraine." The actors also used legitimate municipal services, such as traffic cams. This suggests that Russian spies were not only trying to gather intelligence but also disrupt aid shipments.

The Russian military unit blamed for the espionage is called GRU Unit 26165 but goes by a number of informal names, including Fancy Bear. The notorious hacking team is known to have previously leaked World Anti-Doping Agency data and played a key role in the 2016 cyber-attack on the US's Democratic National Committee.

"This malicious campaign by Russia's military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine," said Paul Chichester, NCSC Director of Operations. "We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks."

Anyone involved in moving goods into Ukraine "should consider themselves targeted" by Russian military intelligence, John Hultquist, chief analyst at Google Threat Intelligence Group said. "Beyond the interest in identifying support to the battlefield, there is an interest in disrupting that support through either physical or cyber means," he added.

The joint cyber-security advisory said Fancy Bear had targeted organisations linked to critical infrastructure including ports, airports, air traffic management and the defence industry. These were in 12 mainland European countries and the US. The hackers used a combination of techniques to gain access, including guessing passwords. Another method used is called spearphishing, where fake emails are targeted at specific people who have access to systems.

They are presented with a fake page where they enter their login details, or encouraged to click a link which then installs malicious software. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes.

A vulnerability in Microsoft Outlook was also exploited to collect credentials "via specially crafted Outlook calendar appointment invitations". These kinds of techniques have been "a staple tactic of this group for over a decade", Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit said.

Camera access would assist in the understanding of what goods were being transported, when, in what volumes and support kinetic [weapons] targeting. The hackers also infiltrated industrial control systems where they would be able to "steal important intellectual property and insights for espionage, or position themselves for disruptive attacks".