As Russian missiles have rained down on Ukraine, Moscow’s hackers have increased their efforts to sabotage Western companies providing support to Kyiv.
The state-linked cyber team known as Fancy Bear has “expanded its targeting of logistics entities and technology companies involved in the delivery of aid, the U.S. and 10 of its closest allies said in a cyber threat advisory published Wednesday.
Russian hackers have targeted defense contractors, transportation facilities, maritime operators, air traffic control systems and IT service providers, according to the advisory. Their techniques are a mixture of brute-force password cracking, spear-phishing to obtain credentials and deliver malware and the exploitation of vulnerabilities in Microsoft Outlook and other software programs.
Cybersecurity and intelligence agencies in Australia, Canada, the Czech Republic, Denmark, Estonia, France, Germany, the Netherlands, Poland and the U.K. issued the alert alongside the FBI, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Defense Cyber Crime Center and U.S. Cyber Command.
“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of [Fancy Bear] targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting,” the Western governments warned in the joint advisory. “This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.”
Targeted companies and government organizations have been identified in Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the U.S.
In one attack, Russia pivoted from its initial breach to stealing credentials belonging to accounts with access to “sensitive information on shipments, such as train schedules and shipping manifests,” the advisory said. The information included the route details and cargo contents of trains, planes and ships headed for Ukraine.
The Western governments believe that Russia has also tracked shipments by hacking into private internet-accessible security cameras near military bases, border checkpoints and rail stations.
Russia deployed malware that it has been observed using before, including HEADLACE and MASEPIE, and it maintained persistence on victim networks through built-in Windows features such as scheduled tasks.
“The authoring agencies expect similar targeting and TTP use to continue,” the advisory warned.
