Russia’s attacks on Ukraine are relentless, despite ongoing peace negotiations. Recently, western security agencies have issued a stark warning about a Moscow-backed cyber campaign targeting logistics and tech companies in the West.
This operation is linked to Unit 26165 of the Russian GRU, known as Fancy Bear. They’re employing tactics like credential guessing, spear-phishing, and exploiting vulnerabilities in Microsoft Exchange and public infrastructure, including VPNs. This cyber activity likely began in early 2022, primarily focused on espionage. But as Russia’s military ambitions faltered, Fancy Bear expanded their focus to include organizations supporting Ukraine’s defense. Over the past three years, they’ve targeted air traffic control, airports, and defense sectors across NATO countries.
Fancy Bear is also trying to access internet-connected cameras at Ukraine’s border and military sites. While most intrusions are in Ukraine, neighboring states like Hungary, Poland, Romania, and Slovakia have also experienced attacks. Paul Chichester, Director of Operations at the UK’s National Cyber Security Centre (NCSC), stressed that organizations need to understand these tactics to protect themselves. “This campaign presents a serious risk to organizations delivering aid to Ukraine,” he said.
Richard Horne, CEO of NCSC, recently linked Russian cyberattacks to physical threats in the UK, highlighting sabotage and arson as tactics being used.
Rafe Pilling, a director at Sophos, noted that Fancy Bear’s use of spear-phishing and vulnerability exploitation is a long-standing strategy. He pointed out that the group’s focus has shifted since the conflict began, as Ukraine has become a major target.
“The targeting of IP cameras is particularly interesting,” Pilling observed, noting it could aid Russia’s understanding of logistics and support military operations. Other advanced threat actors have used similar tactics in the past to monitor the impacts of their attacks.
The NCSC reaffirmed the UK’s commitment to Ukraine, having already pledged £13 billion in military aid and recently announcing 100 new sanctions on Russia affecting energy and military-related entities. This statement follows a significant drone attack on Ukraine, initiated shortly before a scheduled call between Putin and US President Donald Trump.
The full advisory outlines Fancy Bear’s tactics and details the vulnerabilities they’re exploiting. It’s co-signed by cybersecurity agencies from several countries, including the UK and US, as part of a broader effort to combat this emerging threat.