Russian APT28 targets Western firms supporting Ukraine

Hackers belonging to Russia’s Main Intelligence Directorate (GRU), known as APT28, Fancy Bear and Sednit, have been conducting a cyber espionage campaign targeting Western logistics and technology companies involved in supporting Ukraine. Active since 2022, the group has targeted organizations coordinating, transporting, and delivering foreign aid to Ukraine. This campaign has been acknowledged by cybersecurity agencies from multiple countries, including the United States, United Kingdom, and several European nations.

APT28 has employed a variety of tactics to gain initial access to targeted networks. These include brute-force attacks to guess credentials, spear-phishing campaigns that mimic government agencies or cloud service providers to harvest login information, and the exploitation of known vulnerabilities in software.. Additionally, they have targeted internet-facing infrastructure like corporate VPNs using public vulnerabilities and SQL injection techniques.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Once inside a network, APT28 conducts reconnaissance to identify individuals and systems involved in logistics and aid coordination. They then move laterally within the network, exploiting further vulnerabilities and exfiltrating sensitive information. The campaign has compromised dozens of entities across various countries, including Bulgaria, Czechia, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States.

This cyber espionage effort is part of a broader strategy by Russian military intelligence to gather intelligence on Western support for Ukraine. The UK's National Cyber Security Centre has emphasized the serious risk posed by this campaign to organizations involved in aid delivery. The coordinated response from international cybersecurity agencies highlights the importance of vigilance and robust security measures to protect against such sophisticated threats.

Source: Bleeping Computer

Analysis

While APT28's interest in targeting Western logistics and tech companies supporting Ukraine aligns predictably with Russia’s broader strategic intelligence goals, this campaign does show some notable and evolving characteristics that distinguish it from past operations.

What makes this campaign unique is its clear integration with tactical military objectives. Rather than collecting intelligence indiscriminately, APT28 is pursuing data with a direct impact on wartime logistics. This represents a more operationalized use of cyber capabilities—not just for long-term espionage, but to potentially interfere with or better understand the supply chains sustaining Ukraine’s defense. It signals a deeper coupling of cyber operations with real-time military strategy.

The technical execution of the campaign also reflects a notable evolution in APT28’s methods. While the group still uses traditional techniques such as spear-phishing and credential brute-forcing, this campaign has expanded its use of diverse vulnerabilities across a range of platforms. Notable exploits include CVE-2023-23397 (a Microsoft Outlook vulnerability), multiple flaws in Roundcube webmail from as far back as 2020 (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026), and a WinRAR vulnerability from 2023 (CVE-2023-38831). They also utilized SQL injection and attacks on unpatched VPN appliances.

This flexibility demonstrates a broad, opportunistic approach to initial access—one that goes beyond APT28’s older, more phishing-centric playbooks.

Another unique element is the scale and speed of the operation. The campaign spans at least 14 countries and targets organizations in both the private and public sectors. This wide reach, combined with the apparent coordination and consistent targeting methodology, suggests APT28 has improved its operational efficiency—possibly through automation or tighter collaboration with other Russian cyber entities. It marks a shift from smaller, isolated attacks to a more orchestrated and high-tempo campaign.

Finally, the group’s post-exploitation behavior reflects deliberate and focused intelligence collection. Once inside a network, APT28 reportedly conducts reconnaissance to pinpoint individuals and systems directly involved in logistics and aid. Rather than simply exfiltrating everything, they appear to be targeting specific, high-value data related to the movement and coordination of military supplies. This selective behavior further supports the idea that this campaign is task-driven, with clearly defined goals aimed at supporting Russian military operations in Ukraine.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats stemming from sophisticated threat actors like APT28. Field Effect MDR users are automatically notified if threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture towards cybersecurity given the threat posed by Russian state-sponsored cyber actors. We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.

Related Articles

• Russian APT28 hackers leverage webmail zero-day
• Russian hackers target Ukrainian WhatsApp accounts in clever campaign
• Attribution of Ukraine Cyber Attacks to GRU Unit ‘Cadet Blizzard’