The Canadian Centre for Cyber Security (Cyber Centre) has joined the United States’ National Security Agency (NSA) and multiple international partners in issuing the following joint advisory.
The advisory concerns Russian state-sponsored cyber activity targeting Western logistics providers and IT companies, particularly those involved in delivering foreign assistance to Ukraine.
Known targets include government organizations and commercial entities in NATO member states and Ukraine as well as international organizations. Target sectors include:
- the defence industry
- transportation and transportation hubs, such as ports and airports
- the maritime sector
- air traffic management
- IT services
The espionage-oriented cyber campaign is attributed to a group (military unit 26165) within the Russian General Staff Main Intelligence Directorate (GRU). This unit is commonly known to the cyber security community as APT28, Fancy Bear, Forest Blizzard or Blue Delta.
The campaign uses a mix of tactics, techniques and procedures (TTPs) previously used by unit 26165, including:
- password spraying
- spearfishing
- modification of Microsoft Exchange mailbox permissions
The advisory warns executives and network defenders at logistics providers and technology companies to:
- be aware of the increased threat
- adjust their cyber security posture with a presumption of targeting
- increase monitoring and threat-hunting for the TTPs and indicators of compromise listed in this advisory
- take the recommended mitigation actions
Read the full joint advisory Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF).