Russian Cyber Threat: APT28 Targets Global Logistics and Tech Firms

The FBI, along with the National Security Agency and other international cybersecurity agencies, this week released a joint agency advisory on cyber operations by the Russian General Staff Main Intelligence Directorate (GRU), also known as APT28, Fancy Bear, Forest Blizzard, Blue Delta and other identifiers, targeting U.S. and global entities. For over two years, the Russian GRU has targeted logistics and technology companies using a mix of tactics, including reconstituted password spraying capabilities, spearphishing and modification of mailbox permissions.

The advisory highlights a sustained campaign by the GRU, which has been targeting logistics and IT companies involved in the delivery of aid to Ukraine since 2022. The GRU's tactics include password spraying, spearphishing, and exploitation of vulnerabilities in popular software. The group has also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments, indicating a direct attempt to disrupt the flow of aid.

The GRU's cyber operations have the potential to significantly impact the long-term financial stability and operational resilience of logistics and technology companies, particularly those involved in military contracts and foreign aid to Ukraine. Disruption of operations, financial losses, reputation damage, and compromised operational resilience are all potential outcomes of these attacks. The GRU's use of "living off the land" techniques, such as using tools already present on systems for lateral movement, can make it difficult for companies to detect and respond to attacks, further compromising their operational resilience.

To enhance their cybersecurity posture in response to the tactics used by APT28, logistics and technology companies can implement several specific measures. These include implementing and enforcing multifactor authentication (MFA), securing and monitoring remote desktop protocol (RDP) and other potentially risky services, providing end-user cybersecurity awareness and training, increasing monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posturing network defenses with a presumption of targeting. While these measures may initially increase operational costs and potentially impact efficiency, the long-term benefits of enhanced security and reduced risk of breaches make these investments worthwhile.

The advisory also notes that the GRU has been targeting email accounts of top Ukrainian officials and executives at foreign defense contractors supplying weapons to Ukraine. This indicates a broader strategy to disrupt the flow of aid and weapons to Ukraine, as well as to gather intelligence on Western military operations.

The FBI and other international cybersecurity agencies have urged companies to take immediate action to protect themselves from these threats. This includes prioritizing the mitigation of known exploited vulnerabilities, implementing the Cyber Performance Goals, and providing end-user cybersecurity awareness and training. Companies are also encouraged to report potential malicious activity to CISA or the FBI and to sign up for CISA's cybersecurity alerts and advisories for timely notification of emerging campaigns and incidents.

In conclusion, the cyber operations by the Russian GRU pose a significant threat to the long-term financial stability and operational resilience of logistics and technology companies involved in military contracts and foreign aid to Ukraine. Companies in these sectors should recognize the elevated threat of GRU targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. By implementing these measures, companies can significantly enhance their cybersecurity posture and reduce the risk of successful attacks by APT28 and other threat actors.