A notorious Russian cyber-espionage group has been formally blamed for a cyber intrusion campaign targeting critical infrastructure, defense sectors, and logistics networks across more than a dozen countries, according to a joint cybersecurity advisory, co-authored by 21 intelligence and cybersecurity agencies from 11 countries.
The advisory attributed the widespread attacks to Russia’s military intelligence unit known as the 85th Main Special Service Center (GTsSS), Military Unit 26165, part of the GRU. The group, long tracked under codenames such as Fancy Bear, APT28, and BlueDelta, is accused of attempting break-ins at dozens of strategic targets, particularly in NATO member states, Ukraine, and international organizations.
The cyber offensive reportedly struck dozens of entities, spanning both government and private sectors, particularly within:
-
Defense Industry
-
Maritime and Aviation Transport
-
Railway Systems
-
Air Traffic Management
-
IT Services and Infrastructure
Organizations in countries such as France, Germany, Italy, Poland, Romania, Ukraine, and the United States, among others, were affected. The hackers leveraged their access to municipal traffic and private surveillance cameras, including those near military sites, rail stations, and border crossings, to monitor and track material movements into Ukraine.
While no successful breaches of industrial control systems were confirmed, the advisory noted that the group had conducted reconnaissance on entities involved in the production of railway management systems.
The techniques used in the campaign included:
-
Credential guessing and brute-force attacks
-
Spear-phishing for credentials and malware delivery
-
Exploitation of Microsoft Outlook (CVE-2023-23397)
-
Exploitation of Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)
-
Abuse of corporate VPNs and Internet-facing systems via known vulnerabilities
-
SQL injection attacks
-
Exploitation of WinRAR (CVE-2023-38831)
Hackers also hijacked small office/home office (SOHO) routers and devices located near targeted sites to obfuscate their activity and proxy malicious traffic, increasing the campaign's stealth and persistence.