A joint cybersecurity advisory from the United States and allied countries revealed that the Russian General Staff Main Intelligence Directorate 85th Main Special Service Center, also known as APT28, Fancy Bear and Forest Blizzard in the cybersecurity community, launched a cyber-espionage campaign targeting Western government organizations, commercial logistics entities, transportation services and technology companies, including those involved in providing assistance to Ukraine.
The National Security Agency, one of the authors of the CSA, said Wednesday that the Russian state-sponsored cyber actor uses password spraying, spearphishing and modification of Microsoft Exchange mailbox permissions, among other previously disclosed and novel tactics, techniques and procedures—a.k.a. TTPs—to infiltrate target entities.
Cyber Risk Mitigation
The advisory urged at-risk organizations to increase monitoring and threat hunting for known TTPs and indicators of compromise to defend against potential cyberattacks. Recommended security mitigations include employing network segmentation and restrictions to limit access; considering zero trust principles when designing systems; collecting and monitoring Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly; and strengthening and refining the processes that manage digital identities and control access.
The CSA identified the countries with targeted entities, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the United States.
Cyber Operations Linked to Russia-Ukraine Conflict
According to the advisory, the Russian cyber group likely used access to internet-connected private cameras in Ukraine and those near bordering crossings, military installations and rail stations to track the movement of materials into Kyiv. The actors targeted Real-Time Streaming Protocol servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices and gain access to the cameras’ feeds, the CSA added.
To defend against the malicious activity, the advisory recommended applying security patches and firmware updates to all IP cameras, disabling remote access and using a firewall to prevent communication with the camera from IP addresses not on an allowlist.
The CSA’s authoring agencies include the NSA, the FBI, the U.K. National Cyber Security Centre, the German Federal Intelligence Service, the Czech Republic Military Intelligence, the Polish Internal Security Agency and the Australian Cyber Security Centre.
