I. Targeted Entities

  • Western logistics entities and technology companies involved in transportation and coordination of aid to Ukraine.
  • Defense industry entities
  • Transportation hubs (ports, airports)
  • Maritime sectors
  • Air traffic management systems
  • IT services

II. Introduction

Since early 2022, the Russian General Staff Main Intelligence Directorate (GRU), specifically its 85th Main Special Service Center (85th GTsSS), also identified as APT28, Fancy Bear, Forest Blizzard, and BlueDelta, has been actively conducting cyber espionage operations against Western logistics and technology entities. This ongoing campaign primarily targets entities facilitating foreign assistance to Ukraine, highlighting a strategic effort to monitor, disrupt, or influence the flow of aid to Ukraine.

Attack Details: The GRU unit 26165 has leveraged sophisticated cyber espionage tactics, including credential guessing, spearphishing, exploitation of known vulnerabilities, and abuse of internet-facing infrastructure such as corporate VPNs. Notable vulnerabilities exploited in this campaign include CVE-2023-23397 (Outlook NTLM), CVE-2023-38831 (WinRAR), and several Roundcube vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026).

Recent analysis highlights the GRU’s use of geopolitical event lures, notably exploiting the Israel-Hamas conflict to deliver the HEADLACE malware, enabling comprehensive network penetration and persistent espionage (Mühr, Zaboeva, & Fasulo, 2025).

III. MITRE ATT&CK Framework

Initial Access:

  • Exploitation of Public-Facing Applications (T1190)
    • Exploited known vulnerabilities in publicly accessible applications such as Microsoft Exchange and corporate VPNs to achieve initial entry.
  • Spearphishing (T1566)
    • Distributed carefully crafted phishing emails using contextually relevant geopolitical lures (e.g., Israel-Hamas conflict) to trick users into executing malicious payloads.
  • Brute Force and Credential Guessing (T1110)
    • Conducted systematic credential guessing and brute force attacks targeting exposed remote services, including RDP and VPN logins.

Execution:

  • Command and Scripting Interpreter (T1059)
    • Command and Scripting Interpreter (T1059) is a highly prevalent execution technique in MITRE ATT&CK that adversaries use to run arbitrary commands, scripts, or binaries on target systems via built in interpreters like PowerShell, cmd.exe, Bash, Python, JavaScript, AppleScript, Visual Basic and more.
  • User Execution (T1204)
    • Deployed malicious attachments and phishing links designed to prompt users into inadvertently executing malicious scripts or payloads.

Persistence:

  • Scheduled Task (T1053)
    • Established scheduled tasks to regularly execute malicious scripts and maintain long-term access.
  • • Shortcut Modification (T1547.009)
  • o Altered desktop shortcuts to point to malicious executables, ensuring persistent and subtle execution during regular user operations.

Privilege Escalation:

  • Abuse of Elevation Control Mechanisms (T1548)
    • Exploited software vulnerabilities, notably CVE-2023-23397, enabling unauthorized elevation of privileges to access sensitive resources.

Credential Access:

  • Credential Dumping (T1003)
    • Harvested credentials through techniques such as memory scraping, registry dumps, and exploitation of NTLM hashes.
  • Exploitation of NTLM Vulnerability (CVE-2023-23397)
    • CVE 2023 23397 is a critical “zero touch” elevation of privilege vulnerability in Microsoft Outlook for Windows that allows attackers to exfiltrate a user’s Net NTLMv2 hash without any user interaction.

Lateral Movement:

  • Remote Desktop Protocol (T1021.001)
    • Employed Remote Desktop Protocol to navigate laterally through compromised networks, enhancing the attacker’s reach and access.
  • Use of tools such as Impacket and PsExec
    • Impacket is a Python-based collection of modules that allows attackers to craft and send network protocol packets, making it particularly useful for exploiting protocols like SMB, RDP, and Kerberos. It’s frequently used to perform pass-the-hash, NTLM relay, and DCSync attacks.
  • PsExec, part of Microsoft Sysinternals, enables remote execution of processes and is commonly used by adversaries to run commands or deploy payloads across a network without needing remote desktop access.

Discovery:

  • Active Directory Enumeration (T1087)
    • Mapped organizational structures by enumerating Active Directory objects to identify high-value targets.
  • Network Service Scanning (T1046)
    • Conducted extensive internal scans post-compromise to locate vulnerable or exploitable network services.

Command and Control:

  • Application Layer Protocol (T1071)
    • Used standard protocols such as HTTP(S) and DNS to blend malicious traffic with legitimate communications, complicating detection efforts.
  • Legitimate Web Services (T1102)
    • Leveraged trusted cloud and hosting services to host command and control infrastructure, reducing suspicion and bypassing traditional network defenses.

Exfiltration:

  • Data Exfiltration via Command and Control Channel (T1041)

Phase Technique Description
Data Prep T1560.001 ZIP compression via PowerShell
Exfiltration Channel T1041 Upload via C2 (SSH or API)
Tools Impacket, PsExec, Certipy, ADExplorer, SSH
Timing Strategy Periodic bursts, geo-proximity, stealth scheduling
  • Archive Collected Data (T1560)
    • Compressed and encrypted sensitive data into ZIP files using PowerShell scripts for exfiltration.

IV. Indicators of Compromise (IOCs)

  • IP Addresses observed in brute force activities:
  • 103[.]97[.]203[.]29
  • 109[.]95[.]151[.]207
  • 138[.]199[.]59[.]43
  • 147[.]135[.]209[.]245
  • 162[.]210[.]194[.]2
  • 178[.]235[.]191[.]182
  • 178[.]37[.]97[.]243
  • 185[.]234[.]235[.]69
  • 192[.]162[.]174[.]67
  • 192[.]162[.]174[.]94
  • 194[.]187[.]180[.]20
  • 207[.]244[.]71[.]84
  • 209[.]14[.]71[.]127
  • 212[.]127[.]78[.]170
  • 213[.]134[.]184[.]167
  • 31[.]135[.]199[.]145
  • 31[.]42[.]4[.]138
  • 46[.]112[.]70[.]252
  • 46[.]248[.]185[.]236
  • 64[.]176[.]67[.]117
  • 64[.]176[.]69[.]196
  • 64[.]176[.]70[.]18
  • 64[.]176[.]70[.]238
  • 64[.]176[.]71[.]201
  • 70[.]34[.]242[.]220
  • 70[.]34[.]243[.]226
  • 70[.]34[.]244[.]100
  • 70[.]34[.]245[.]215
  • 70[.]34[.]252[.]168
  • 70[.]34[.]252[.]186
  • 70[.]34[.]252[.]222
  • 70[.]34[.]253[.]13
  • 70[.]34[.]253[.]247
  • 70[.]34[.]254[.]245
  • 79[.]184[.]25[.]198
  • 79[.]185[.]5[.]142
  • 83[.]10[.]46[.]174
  • 83[.]168[.]66[.]145
  • 83[.]168[.]78[.]27
  • 83[.]168[.]78[.]31
  • 83[.]168[.]78[.]55
  • 83[.]23[.]130[.]49
  • 83[.]29[.]138[.]115
  • 89[.]64[.]70[.]69
  • 90[.]156[.]4[.]204
  • 91[.]149[.]202[.]215
  • 91[.]149[.]203[.]73
  • 91[.]149[.]219[.]158
  • 91[.]149[.]219[.]23
  • 91[.]149[.]223[.]130
  • 91[.]149[.]253[.]118
  • 91[.]149[.]253[.]198
  • 91[.]149[.]253[.]204
  • 91[.]149[.]253[.]20
  • 91[.]149[.]254[.]75
  • 91[.]149[.]255[.]122
  • 91[.]149[.]255[.]19
  • 91[.]149[.]255[.]195
  • 91[.]221[.]88[.]76
  • 93[.]105[.]185[.]139
  • 95[.]215[.]76[.]209
  • Outlook CVE Exploitation IOCs
    • md-shoeb@alfathdoor[.]com[.]sa
    • jayam@wizzsolutions[.]com
    • accounts@regencyservice[.]in
    • m.salim@tsc-me[.]com
    • vikram.anand@4ginfosource[.]com
    • mdelafuente@ukwwfze[.]com
    • sarah@cosmicgold469[.]co[.]za
    • franch1.lanka@bplanka[.]com
    • commerical@vanadrink[.]com
    • maint@goldenloaduae[.]com
    • karina@bhpcapital[.]com
    • tv@coastalareabank[.]com
    • ashoke.kumar@hbclife[.]in
    • 213[.]32[.]252[.]221
    • 124[.]168[.]91[.]178
    • 194[.]126[.]178[.]8
    • 159[.]196[.]128[.]120
  • Commonly Used Webmail Providers:
    • portugalmail[.]pt
    • mail-online[.]dk
    • email[.]cz
    • seznam[.]cz
  • Malicious Archive filenames
    • calc.war.zip
      • Hash: 763d47f16a230f7c2d8c135b30535a52d66a1ed 210596333ca1c3890d72e6efc
    • Zeyilname.zip
      • Hash: 22ed5c5cd9c6a351398f1e56efdfb16d52cd33cb4b2062
        37487a03443d3de893
      • Hash: 45e44afeb8b890004fd1cb535978d0754ceaa7129082c
        b72386a80a5532700d1
    • news_week_6.zip
      • Hash: 16bcd167162e4ded71b8c7e9a2587be821d3a752c71fc
        bb2ae64cf1088b62fc0
      • Hash: 5b8c240083cba4442fb6bbb092efd430ce998530cc10f
        d181b3f71845ec190ce
      • Hash: 84638698fdcf2e9e45e7dd560c8d00fb4da6fa32dabaac
        d31b3538d38755dad4
      • Hash: f983d786f4dc2d1793f6b28907c4035c96b6b5c8765ba1
        2dc4510dab0fceabf5
    • war.zip
      • Hash: d37779e16a92da7bd05eae50c64b36e2e2022eb4413
        82be686fda4dbd1800e90
      • Hash: 2ac6735e8e0b23b222161690adf172aec668894d17029
        9e9ff2c54a4ec25b1f4
      • Hash: 8cc664ff412fc80485d0af61fb0617f818d37776e5a06b7
        99f74fe0179b31768
      • Hash: ec64b05307ad52f44fc0bfed6e1ae9a2dc2d093a42a8347f069f3955ce5aaa89
    • SEDE-PV-2023-10-09-1_EN.zip
      • Hash: 8dba6356fdb0e89db9b4dad10fdf3ba37e92ae42d55e7bb8f76b3d10cd7a780c
    • Roadmap.zip
  • Malicious scripts/tools observed:
    • HEADLACE (backdoor)
      • A backdoor used to establish persistent access, execute commands remotely, and maintain stealth communication channels with the attackers.
    • MASEPIE (malware)
      • Custom malware designed for executing remote commands, data theft, and maintaining a persistent foothold within compromised networks.
    • STEELHOOK (credential theft)
      • Specialized malware created to extract and exfiltrate sensitive user credentials, aiding further lateral movement and deeper infiltration.

V. Recommendations

  • Patch Known Vulnerabilities:
    • Regularly update all software and firmware.
    • Conduct continuous vulnerability assessments to identify and mitigate security gaps.
  • Enhance Detection and Monitoring:
    • Deploy endpoint detection and response (EDR) systems.
    • Utilize behavioral analysis tools to detect anomalous activities.
  • Strengthen Authentication Practices:
    • Implement multi-factor authentication (MFA).
    • Regularly audit user permissions and account activities.
  • Network Security:
    • Employ network segmentation.
    • Block unauthorized VPN and proxy services.
  • User Awareness:
    • Conduct regular security training focusing on recognizing phishing and social engineering tactics.
  • Incident Response Preparation:
    • Establish and routinely test incident response protocols to quickly contain and remediate intrusions.

VI. Conclusion

Given the strategic nature of this campaign targeting critical logistical infrastructure, Western logistics and technology entities must maintain heightened vigilance. Employing comprehensive security measures and regular training will be crucial in mitigating the ongoing threat posed by the GRU’s advanced cyber espionage operations.

VII. References

Command and scripting interpreter. Command and Scripting Interpreter, Technique T1059 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1059/

Exfiltration over C2 channel. Exfiltration Over C2 Channel, Technique T1041 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1041/

Insikt Group. (2025, April 30). France Ties Russian APT28 to Attacks Targeting French Infrastructure and Institutions. Recorded Future. https://app.recordedfuture.com/portal/research/insikt/doc:5pGMcT?organization=uhash%3A5SiRB4MNDF

Insikt Group. (2024, May 30). GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. Recorded Future. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Lesnewich, G., & Giering, C. (2023, December 5). TA422’s dedicated exploitation loop-the same week after week. Proofpoint. https://www.proofpoint.com/us/blog/threat-insight/ta422s-dedicated-exploitation-loop-same-week-after-week

Martin, A. (2025, May 21). Western intelligence agencies unite to expose Russian hacking campaign against logistics and Tech firms. Cyber Security News | The Record. https://therecord.media/western-intelligence-alert-russia-hackers-logistics-fancy-bear-apt28

Microsoft Incident Response. (2025, June 18). Guidance for investigating attacks using CVE-2023-23397. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397

Mühr, G., Zaboeva, C., & Fasulo, J. (2025, April 17). ITG05 operations leverage Israel-hamas conflict lures to deliver Headlace malware. IBM. https://www.ibm.com/think/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware

Ribeiro, A. (2025, May 25). Russian GRU’s unit 26165 conducts two-year cyber espionage on logistics, Tech firms using IP cameras, supply chains. Industrial Cyber. https://industrialcyber.co/cisa/russian-grus-unit-26165-conducts-two-year-cyber-espionage-on-logistics-tech-firms-using-ip-cameras-supply-chains/

Russian GRU Targeting Western Logistics Entities and Technology Companies. U.S. Department of Defense. (2025, May). https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF

Russian GRU targeting western logistics entities and technology companies: CISA. Cybersecurity and Infrastructure Security Agency CISA. (2025, May 21). https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analyst(s): Kevin Wong, Jason Doan