A joint advisory from multiple Western intelligence agencies has attributed a cyber espionage campaign targeting Western logistics and technology companies since 2022 to APT28, a Russian GRU-linked group. The campaign, aimed at entities involved in coordinating aid to Ukraine, utilizes tactics like password spraying, spear-phishing, and exploiting Microsoft Exchange vulnerabilities to gain access and exfiltrate sensitive information, including email communications and user data from organizations within NATO member states and Ukraine.
A coordinated cyber espionage campaign, attributed to the Russian GRU-linked group APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This assessment, detailed in a joint advisory from intelligence agencies across eleven Western nations, highlights the campaign's focus on organizations involved in the transport and delivery of foreign assistance to Ukraine. The operation employs a variety of tactics, including password spraying, spear-phishing utilizing fake login pages impersonating government agencies and cloud email providers, and the exploitation of known vulnerabilities such as CVE-2023-23397 in Microsoft Outlook NTLM and several Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026), as well as the WinRAR vulnerability CVE-2023-38831. The primary objective appears to be espionage, with attackers modifying Microsoft Exchange mailbox permissions for sustained email collection and exfiltrating sensitive data, including Office 365 user lists. Dozens of entities across NATO member states and Ukraine, particularly within defense, transportation, maritime, air traffic management, and IT services, are reported targets. Post-exploitation activities involve reconnaissance, lateral movement using tools like Impacket and PsExec, and data exfiltration via PowerShell commands or protocols like EWS and IMAP. The campaign's expansion is explicitly linked to Russia's military objectives in Ukraine and the Western aid response, including the targeting of internet-connected cameras at Ukrainian border crossings. Recent developments also indicate Russian threat actors are leveraging cloud object storage services, including Oracle Cloud Infrastructure (OCI) Object Storage, to host fake reCAPTCHA pages for distributing malware like Lumma Stealer. The overall sentiment surrounding this news is negative (-0.4), with a warning tone, reflecting the significant cybersecurity threat and geopolitical implications. Specific entities like Microsoft (MSFT, sentiment -0.3) and Oracle Cloud Infrastructure (OCI, sentiment -0.2) are mentioned in relation to vulnerabilities exploited or services misused by the threat actors.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
Negative
Sentiment Score
-0.40
Ticker Sentiment
