UK Exposes Russian Cyber Campaign Targeting Support for Ukraine

The United Kingdom has exposed a sophisticated cyber campaign targeting multiple organizations involved in delivering foreign assistance to Ukraine. A joint investigation with allies including the US, Germany, and France revealed that a Russian military unit had been behind this malicious operation since 2022.

According to the UK's National Cyber Security Centre (NCSC), this cyber campaign used a combination of hacking techniques to gain access to networks in public and private organizations, including those supplying defense, IT services, and logistics support. The security bodies of 10 NATO countries and Australia also confirmed that Russian spies had been using these techniques to breach their systems.

Some of the targets included internet-connected cameras at Ukrainian borders, which monitored aid shipments entering the country. In total, it's estimated that around 10,000 cameras were accessed near military installations and rail stations to track the movement of materials into Ukraine. The hackers also used legitimate municipal services, such as traffic cams.

The Russian military unit blamed for this espionage is called GRU Unit 26165, but it's more commonly known by its informal name, Fancy Bear. This notorious hacking team has a history of leaks and cyber-attacks, including the 2016 breach of the US's Democratic National Committee.

"This malicious campaign by Russia's military intelligence service presents a serious risk to targeted organizations, including those involved in delivering assistance to Ukraine," said Paul Chichester, NCSC Director of Operations. "We strongly encourage organizations to familiarize themselves with the threat and mitigation advice included in the advisory to help defend their networks."

Anyone involved in moving goods into Ukraine should consider themselves targeted by Russian military intelligence, according to John Hultquist, chief analyst at Google Threat Intelligence Group. These incidents could be precursors to other serious actions.

The hackers used a combination of techniques to gain access, including guessing passwords and spearphishing. The latter involves sending fake emails to specific people who have access to systems, presented with a fake page where they enter their login details or click on a link that installs malicious software.

A vulnerability in Microsoft Outlook was also exploited to collect credentials via specially crafted Outlook calendar appointment invitations. These kinds of techniques have been a staple tactic of this group for over a decade, according to Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.

Accessing these cameras would assist in understanding what goods were being transported, when, in what volumes, and support kinetic [weapons] targeting," said Rafe Pilling. This kind of access could potentially allow the hackers to steal important intellectual property and insights for espionage or position themselves for disruptive attacks.

Cyber security firm Dragos told the BBC that it had been tracking hacking activity linked to the reported NCSC campaign. The CEO, Robert M. Lee, stated that the hackers followed were not only interested in gaining a foothold in corporate computer networks but also infiltrated industrial control systems to steal valuable information and position themselves for disruptive attacks.

In conclusion, this malicious cyber campaign by Russia's military intelligence service poses a significant threat to organizations involved in delivering foreign assistance to Ukraine. It highlights the importance of cybersecurity awareness and mitigation measures to protect against such threats.