The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is issuing a stark warning about an elevated Russian cyber threat to logistics and tech companies involved in supporting Ukraine. In a joint advisory released Wednesday alongside cybersecurity agencies from the UK, Germany, and over a dozen NATO allies, CISA urged all organizations moving aid, weapons, and supplies into Ukraine to assume they are actively being targeted by Russian hackers.
At the center of this campaign is Unit 26165, a notorious arm of Russia’s military-intelligence unit GRU—also known in the cybersecurity world as APT28 or Fancy Bear. According to CISA, the group has been orchestrating a widespread espionage campaign since early 2022, growing more aggressive as the war in Ukraine drags on.
Victims of this ongoing cyber offensive include shipping brokers, railway operators, port authorities, air-traffic managers, defense contractors, and the IT firms that support these sectors. These attacks have been confirmed in at least 13 NATO countries, as well as in the U.S. and Ukraine.
Targeting the Arteries of Aid and Arms
CISA revealed that Unit 26165 is systematically collecting intelligence that could disrupt or intercept Western supply chains. A key focus is the theft of shipping manifests, which provide detailed insight into what’s moving into Ukraine and when. That includes train and container numbers and delivery schedules—data that, in the wrong hands, could be used to undermine or intercept shipments.
The attackers have also conducted reconnaissance on organizations involved in industrial control systems (ICS) used for railway infrastructure. While no confirmed compromise was reported, the targeting suggests a growing interest in critical transport systems.
Even more alarming, the advisory notes that Russian intelligence has hijacked thousands of IP cameras positioned at border crossings and rail yards, giving them real-time visibility into aid convoys moving into Ukraine.
Sophisticated Attack Tactics and Exploit Chains
The group’s tactics blend traditional hacking methods with more advanced and stealthy techniques. According to CISA’s technical documentation, Fancy Bear has used:
- Password-spraying and spear-phishing to gain initial access
- Microsoft Outlook’s NTLM bug (CVE-2023-23397) to harvest credentials
- Vulnerabilities in Roundcube webmail and a WinRAR archive flaw for deeper infiltration
- Home-office routers and edge devices as cover for lateral movement
Once inside, the attackers move quickly—abusing Exchange mailbox permissions to collect emails, deploying Impacket and PsExec to navigate Active Directory, and planting custom malware like HEADLACE and MASEPIE to steal data and maintain access.
The group also takes extra steps to identify key personnel, including cybersecurity teams, logistics coordinators, and third-party partners, expanding their network of targets and maximizing intelligence value.
Urgent Defensive Measures Recommended
In response to this Russian cyber threat to logistics, CISA is urging companies to immediately reassess their risk exposure. Specific recommendations include:
- Implementing phishing-resistant MFA
- Auditing for known vulnerabilities in Outlook, Roundcube, and WinRAR
- Securing all public-facing devices
- Hunting for known TTPs and malware used by Unit 26165
- Improving monitoring and incident response readiness
The agency emphasizes that organizations should adopt a “presumption of compromise” mindset, especially if they operate in or support the logistics, defense, or supply chain sectors linked to Ukraine.
“This threat is not hypothetical,” the advisory states. “Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of Unit 26165 targeting, and act now to reduce exposure.”
