Today we have released a joint advisory outlining the tactics, techniques and procedures (TTPs) of a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
For over two years, the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—commonly known in the cyber security community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted a campaign against those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
TTPs include reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. ASD expects similar targeting and TTP use to continue.
The GRU unit 26165 cyber campaign has targeted numerous government and private/commercial entities across air, sea, and rail. Actors have targeted entities associated with the following sectors:
- Defence industry
- Transportation and transportation hubs (ports, airports, etc.)
- Maritime
- Air traffic management
- IT services
Read the advisory to find out more and for a full list of MITRE ATT&CKS and exploited CVEs.