A new Joint Cybersecurity Advisory issued in May 2025 by a coalition of cybersecurity and intelligence agencies across the U.S., U.K., EU, and NATO reveals that the Russian GRU’s 85th Main Special Service Center (GTsSS), unit 26165—also known as APT28, Fancy Bear, Forest Blizzard, and BlueDelta—has been actively targeting logistics and technology companies supporting Ukraine’s defense efforts.
“This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies,” the advisory states.
The campaign has been ongoing since early 2022 and focuses on espionage, data exfiltration, and sustained access to systems involved in coordinating, transporting, and delivering foreign assistance to Ukraine.
APT28, a well-known threat group linked to the Russian GRU, has combined brute force, credential phishing, zero-day exploits, and living-off-the-land techniques in a persistent effort to compromise systems across NATO-aligned countries.
Targeted sectors include:
- Transportation and logistics (rail, air, sea)
- IT services and supply chains
- Defense contractors
- Critical infrastructure
“These actors have also targeted Internetconnected cameras at Ukrainian border crossings to monitor and track aid shipments,” the advisory explains.
APT28’s tactics include:
- Credential brute force attacks using anonymized infrastructure (Tor, VPNs)
- Spearphishing using multilingual lures and fake login pages
- Malware delivery via malicious archives exploiting CVE-2023-38831 (WinRAR)
- Mailbox permission abuse for long-term email surveillance
- Credential harvesting using CVE-2023-23397 (Outlook NTLM vulnerability)
- Zero-day exploits in Roundcube and other webmail services
- IP camera hijacking using RTSP brute force and default credentials
“The actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests.”
Key malware tools used include:
- HEADLACE – Credential phishing and remote access
- MASEPIE – Exfiltration and control via custom Python-based backdoors
- OCEANMAP and STEELHOOK – Espionage payloads previously used in European campaigns
APT28 actors use living-off-the-land binaries (LOLBins) like ntdsutil, wevtutil, and schtasks to blend in and avoid detection.
The advisory is co-signed by over 20 agencies from the U.S., U.K., Germany, France, Poland, Canada, Australia, Estonia, and others, underscoring the global impact of the threat.
“Executives and network defenders… should recognize the elevated threat… increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting,” the report recommends.
Countries with confirmed targeting include:
- Ukraine
- Poland
- Germany
- France
- Romania
- Netherlands
- Czech Republic
- Slovakia
- Italy
- Greece
- Bulgaria
- United States
The advisory provides detailed guidance using both the MITRE ATT&CK and D3FEND frameworks. Key mitigations include:
- Enforce Zero Trust principles
- Deploy multi-factor authentication (MFA) with hardware tokens
- Block login attempts from known VPNs and public IPs
- Segment and isolate critical infrastructure
- Harden IP cameras and remove default credentials
- Audit Active Directory and email permission changes
- Monitor for suspicious use of tools like Impacket, Certipy, and PsExec
The Russian GRU continues to evolve its toolkit and expand its targeting, with logistics and IT firms now at the forefront of its efforts to disrupt support for Ukraine.
“Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected,” the advisory concludes.
Organizations in the logistics, defense, and tech sectors should treat themselves as high-value targets and reinforce their security posture accordingly.
