The Russian General Staff Main Intelligence Directorate (GRU)-leveraged Unit 26165 of the 85th Main Special Service Center (GTsSS), military unit 26165, and APT28 is behind a massive, ongoing hacking campaign, according to a new joint cyber security advisory from several European allies together with the United States and United Kingdom.
At least since 2022, the campaign targeted Western logistics and technology firms providing transportation and delivery of aid to Ukraine.
The GRU hackers uses a variety of methods to crack their way into the targeted organization including spearphishing campaigns, credential guessing attacks, exploitation of software vulns in products like Microsoft Outlook and WinRAR, and the tricking of staff into installing custom malware.
Critically, the advisory makes note of the group’s attempts to infiltrate live feeds from internet-connected cameras—both personal devices and public traffic monitoring cameras, in close proximity to key transportation locations like Ukrainian border crossings, military sites and rail stations. More than 10,000 cameras, mainly in Ukraine but also in neighbouring Poland and Romania, are believed to have been affected.
By hacking these IP cameras, the GRU sought to monitor and track the transportation of aid shipments that entered Ukraine, collecting intelligence on the type, volume, and timing of aid deliveries. This intelligence information might be used to enhance battle strategies, coordinate physical attacks on supply lines, or further cyber actions aimed at the delivery network.
“It’s the same shit,” as Robert Lee put it to me, and “same shit” is rarely an uninteresting thing to disseminate, because it tends to get effective results. The report also serves as a reminder of the ongoing nature of this threat and appears aimed at encouraging organizations working on the ground to invest in their own cybersecurity defenses.
Best practices to mitigate this threat are becoming even more important and include the following: deploy zero-trust architectures, keep all systems and software up-to-date and patched, disable all remote access that is not necessary, secure all IP cameras with strong credentials, firewall devices and remain monitoring for anomalous network-based reconnaissance.
This revelation brings out the multiphased character of Russia’s aggression against Ukraine-from a physical battlefield to a cyber domain. The focusing on logistical supply lines emphasizes the importance of Western aid to Ukraine’s defense and Russia’s steadfastness in interfering with that support.
Cybersecurity specialists caution that such espionage efforts will persist, and further vigilance and preventative measures will be needed by all those involved.
