Article Details

Russia's Fancy Bear swipes a paw at logistics, transport orgs' email servers. 13 govt agencies sound the alarm. Russian cyberspies have targeted "dozens" of Western and NATO-country logistics providers, tech companies, and government orgs providing transport and foreign assistance to Ukraine, according to a joint government announcement issued Wednesday. The orgs they attacked span "virtually all transportation modes: air, sea, and rail," the security advisory [PDF] warns. And it points the finger at the Russian General Staff Main Intelligence Directorate (GRU) military unit 26165, aka APT28 or Fancy Bear. In addition to the logistics and technology entities, the GRU snoops targeted internet-connected cameras at Ukrainian border crossings to track aid shipments. "The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed," the advisory notes. Twenty-one government agencies from the US, UK, Canada, Germany, France, Czech Republic, Poland, Austria, Denmark, and the Netherlands sounded the alarm, and said the campaign has been ongoing since 2022, which is when Russia first invaded neighboring Ukraine. The government bods' warning follows a similar alert from private research firm Eset last week about the same group of goons using spear phishing emails to target Ukrainian webmail servers that contain cross-site scripting vulnerabilities. To gain access to their victims, Fancy Bear employs its usual mix of credential guessing, spear-phishing, exploiting Microsoft Exchange mailbox permissions, and abusing years-old security flaws across web-based email services and Windows tools including Microsoft Outlook (CVE-2023-23397), Roundcube (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) and WinRAR (CVE-2023-38831). Once they've broken into the victims' networks, they get to work spying: conducting general reconnaissance to identify additional targets in key positions, snooping on individuals responsible for coordinating transport to Ukraine, and snarfing up information on shipments, such as train schedules and shipping manifests. Russia has used a range of malware in these campaigns against logistics organizations, and the security advisory calls out two backdoors linked to the attacks: Headlace backdoors and Masepie. And to steal data from email servers, the operatives like to use server data exchange protocols and APIs such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP). "Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting," the security alert advises.