• A Russian intelligence malicious cyber campaign targeting organisations, including those involved in delivery of foreign assistance to Ukraine, has been revealed.
• GRU Unit 26165’s malicious activity includes credential guessing, spear-phishing and exploiting Microsoft Exchange mailbox permissions, as well as targeting internet-connected cameras at Ukrainian border crossings and near military installations.
• UK organisations urged by GCHQ’s National Cyber Security Centre to familiarise themselves with the threat and take immediate action to protect themselves.
• It comes as the UK continues to ramp up pressure on Putin as Russia continues its invasion of Ukraine.

The UK government and international allies have today exposed Russia’s military intelligence service for a campaign of malicious cyber activity against western logistics entities and technology companies.

In a new advisory, the UK’s National Cyber Security Centre – a part of GCHQ – and partners from ten countries have revealed details about how military unit 26165 of Russia’s GRU has conducted a malicious cyber campaign against both public and private organisations since 2022.

This has included targeting of organisations involved in the co-ordination, transport and delivery of support to Ukraine, and across the defence, IT services, maritime, airports, ports and air traffic management systems sectors in multiple NATO members.

Unit 26165 – also known as APT 28 – was able to gain initial access to victim networks using a mix of previously disclosed techniques, including credential guessing, spear-phishing and ex-ploitation of Microsoft Exchange mailbox permissions. They also targeted internet-connected cameras at Ukrainian border crossings and near military installations to monitor and track aid shipments to Ukraine.

The UK’s support for Ukraine remains steadfast as it continues to suffer Russia’s barbaric war. In total, the UK has committed £13 billion in military aid, and this week 100 new sanctions on Russia were announced, targeting entities supporting its military, energy, and financial institutions. This followed Russia launching its biggest drone attack of the war last weekend.
 
Supporting UK organisations to stay resilient to cyber threats is helping to secure the foundations for the government’s Plan for Change in a more volatile and unstable world. Along with details of the threat, the advisory includes mitigation advice to help defend against the malicious activity.

Paul Chichester, NCSC Director of Operations, said:

This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine. 

The UK and partners are committed to raising awareness of the tactics being deployed.

We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks. 

Executives and network defenders at technology and logistics companies should recognise the elevated threat of targeting and take immediate action to protect themselves.
 
Actions include increasing monitoring, using multi-factor authentication with strong factors – such as passkeys – and ensuring security updates are applied promptly to manage vulnerabilities.
 
The NCSC has co-sealed this advisory alongside agencies from the United States, Germany, Czech Republic, Poland, Australia, Canada, Denmark, Estonia, France and the Netherlands.
 
Read the advisory in full on the NSA’s website