Russian Cyber -ules were attributed With a state -owned company aimed at Western logistics structures and technology companies since 2022.
The activity was evaluated by the APT28 orchestra (aka Bluedelta, Fancy Bear or Forest Blizzard), which is connected with the headmaster of the Russian General Staff (GR), the 85th Main Service, 26165 military unit.
The goals of the company include companies involved in coordination, transportation and providing foreign aid to Ukraine, according to joint advisory, published agencies from Australia, Canada, Czech Republic, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom and the United States.
“This cyber-spying company focused on logistics structures and technology companies uses a combination of previously disclosed TTPS and probably – Note.
The warning takes place a few weeks after a foreign ministry of France accused APT28, which establish cyber -post on a dozen formations, including ministries, defense firms, research structures and analytical centers since 2021 in an attempt to destabilize the nation.
Then last week Eset removed the wraps from the company called Operation round press This states that they have been ongoing since 2023, using script vulnerabilities in various web substations, such as RoundCube, Horde, Mdaemon and Zimbra to nominate state structures and defense companies in Eastern Europe, as well as governments in Africa, Europe and South America.
According to the latest advisory, cyberattacks organized by the APT28, provides a combination of password spraying, spears and modifications to Microsoft Exchange mailbox for espionage purposes.
The main goals of the campaign include organizations in NATO and Ukraine, which cover protection, transport, maritime, air traffic and IT -vertical. According to estimates, no less than dozen formations in Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the USA.
It is said that the original access to the target networks was contributed to the use of seven different methods –
- Rough attacks to guess the powers
- Attacks with spear-mi-fining to collect credentials using fake entry pages providing themselves for government agencies and e-mail suppliers Western Cloud
- Attacks for spear-fining for delivering malware
- Exploitation of the vulnerability of Outlook NTLM (Cve-2023-2397)
- Exploitation of RoundCube’s vulnerabilities (Cve-2020-12641, Cve-2020-35730, Cve-2011-44026)
- Exploitation of the infrastructure that stands on the Internet
- Exploitation of Winrar’s vulnerability (Cve-2013-38831)
Once the actors of the 26165 unit are fixed using one of the above methods, the attacks go to the stage after operation, which includes exploration to identify additional goals in key positions, people responsible for coordinating transport, and other companies that cooperate with the subject.
The attackers were also observed using tools such as PSEXEC, PSEXEC, and the Desktop (RDP) for lateral motion, as well as Sertipy and Adexplorer.exe to highlight the information from Active Directory.
“Actors take measures to search and operation of the Office 365 users lists and created a stable email collection,” the agencies said. “Actors used Manipulation permit on the mailbox Create a steady e -mail collection in compromised logistics organizations. “
Another notable feature of invasion is the use of malware as Vote and MasepieTo set perseverance on compromised hosts and harvest. There is no evidence that such options are malware love Oceanmap and steelok were used for the direct purpose of logistics or IT scectors.
During the expansion of data, the threat subjects relied on different methods based on the victim’s environment, often using PowerShell commands to create the archives of Zip to download the collected data into its own infrastructure or using exchange web -service (EWS) and Internet Internet access protocol.
“As the Russian military forces did not reach their military goals, and Western countries assisted in support of Ukraine’s territorial defense, 26165 division expanded the orientation to logistics organizations and technology companies involved in assistance,” the agencies said. “These actors are also aimed at Internet cameras on Ukrainian border crossings for monitoring and tracking assistance.”
Disclosure occurs when catao network showed that suspected threats are used by object facilities Tigris, Oracle Cloud Infrastructure (OCI) and storage of scaleway facilities to place counterfeit Recaptcha pages that use the use Clickfix-Parbed in the style of fooling users in boot Theft of a lama.
“The latest company that uses object storage Tigris, storage of OCI facilities and storage of SCALEway objects, relies on earlier methods, introducing new delivery mechanisms aimed at evading and orientation to technically experienced users,” Guyl Dominga, Guy Vael and Timer Agaev. – Note.
