Russian Hackers Breach Orgs to Track Aid Routes to Ukraine

In a disturbing trend, Russian state-sponsored hackers have been targeting international organizations since 2022 to disrupt aid efforts to Ukraine. The hackers, attributed to APT28 (Fancy Bear/Forest Blizzard), have compromised entities in various sectors, including defense, transportation, IT services, air traffic, and maritime sectors, across 12 European countries and the United States.

Scope of the Campaign

The campaign has targeted multiple organizations, with a focus on those involved in the defense, transportation, and logistics sectors. The hackers have also been tracking the movement of materials into Ukraine by compromising access to private cameras installed in key locations such as border crossings, military installations, rail stations, and other critical infrastructure.

Methods Used

The APT28 threat actor has employed various tactics, techniques, and procedures (TTPs) to compromise organizations. These include:

* Password spraying * Spear-phishing * Microsoft Exchange vulnerability exploits * Compromising small office/home office devices to route communication * Reconnaissance of internal contacts and targets * Use of native commands and open-source tools for lateral movement and data extraction

Stealthy Exfiltration Methods

The hackers used multiple methods to exfiltrate data, including both living-off-the-land (LOtL) binaries and malware. They employed various tactics to maintain stealth, such as relying on infrastructure close to the victim, trusted and legitimate protocols, local infrastructure, and taking time between exfiltration sessions.

Camera Feed Hacking

One part of the espionage campaign involves hacking camera feeds to monitor the movement of materials into Ukraine. The hackers targeted over 10,000 cameras, with more than 80% located in Ukraine, followed by almost a thousand in Romania.

Warning from Experts

According to John Hultquist, Google Threat Intelligence Group chief analyst, "The threat actor's goal is also to disrupt support through either physical or cyber means." This warning should be taken seriously by anyone involved in the process of sending material aid to Ukraine, as they may be targeted.

Joint Cybersecurity Advisory

A joint advisory from 21 intelligence and cybersecurity agencies shares the tactics, techniques, and procedures used by APT28. The report includes general security mitigations, detections, indicators of compromise for scripts and utilities used, email providers commonly used by the threat actor, malicious archive filenames, IP addresses, and Outlook exploitation details.

Conclusion

The Russian state-sponsored cyberespionage campaign attributed to APT28 has highlighted the vulnerability of international organizations to cyber threats. It is essential for organizations to take proactive measures to enhance their cybersecurity posture and protect themselves against similar attacks in the future.