Intelligence and cybersecurity agencies from 10 countries has warned in a joint advisory that a cyberespionage group operated by the Russian military intelligence service, the GRU, has been targeting logistics and IT companies for the past three years. Known in the security industry as APT28 and Fancy Bear, the threat actor has been launching attacks against these targets using a variety of initial access tactics including password spraying, spearphishing and exploitation of vulnerabilities in popular software.
“As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 [of the Russian GRU 85th GTsSS] expanded its targeting of logistics entities and technology companies involved in the delivery of aid,” the advisory read. “These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.”
The targets included dozens of government organizations and commercial entities involved in goods transportation on air, sea and rail. This included defense industry companies, shipping and logistics companies, air traffic management agencies and IT services firms. The countries targeted were Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine and the US.
Attacks go back three years
The targeting of these entities started in February 2022 when the report authoring agencies noted an increase in cyber operations by Russian threat actors, including APT28. After compromising a target, the attackers performed follow-up targeting of their business partners, exploiting the business trust relationships to gain access.
“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting,” the advisory stated.
The hackers often compromised small office/home office (SOHO) routers in proximity to their targets and used them as proxies for their malicious activity as to hide their true geolocation. Anonymization networks like Tor and VPNs were also used.
Credential guessing and spearphishing
The attackers used brute-force credential guessing techniques, also known as password spraying, to gain initial access to accounts. This was complemented with targeted phishing emails that directed recipients to fake login pages for government entities or Western cloud email providers. These phishing pages were stored on free web hosting services or on compromised routers.
The hackers also sent spearphishing emails with malicious document attachments that distributed malware programs known as HEADLACE and MASEPIE. Targets in Ukraine also received additional malware variants called OCEANMAP and STEELHOOK. Attackers often used DLL search order hijacking to execute these malicious programs on computers. It involves delivering a legitimate program along with a malicious DLL that the program’s code is looking for to execute automatically.
Exploitation of known vulnerabilities
APT28 also exploited software vulnerabilities to gain initial access. For example, the attackers sent specifically crafted Outlook calendar invitations that exploited the CVE-2023-23397 Outlook vulnerability to steal NTLM hashes and credentials.
The CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026 flaws in Roundcube, a popular open-source email software package, were exploited to execute arbitrary shell commands on servers. Meanwhile the CVE-2023-38831 WinRAR vulnerability was exploited to execute arbitrary code on computers when users attempted to open specifically crafted archives.
Lateral movement and email spying
Once they compromised a target system, the attackers attempted to perform lateral movement through the network by dumping credentials and using tools that already existed on systems or which are often used for system administration, a technique known as living off the land. This included the Remote Desktop Protocol (RDP), PowerShell, Active Directory Domain Services commands and open-source tools like Impacket and PsExec.
“After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions,” according to the advisory. “The actors also conducted reconnaissance of the cybersecurity department, individuals responsible for coordinating transport, and other companies cooperating with the victim entity.”
The attackers targeted Office 365 users and email servers to set up persistent email collection from the compromised organizations. This involved manipulating mailbox permissions and enrolling users in multi-factor authentication with devices they controlled.
The kind of information they were after included details about shipments to Ukraine, such as point of departure, destination, train/plane/ship numbers, container registration numbers, travel routes and the cargo contents.
“In at least one instance, the actors attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.”
The attackers abused server data exchange protocols and APIs such as the Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP)to exfiltrate data from email servers. For example, periodic EWS queries were used to collect new emails.
“In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine,” according to the advisory. “The actors also used legitimate municipal services, such as traffic cams.”
The joint advisory contains extensive indicators of compromise such as file names, IP addresses, email addresses, commands, scripts and legitimate utilities. These could be used for threat hunting and the detection of compromises, but the agencies warn that some of these IOCs might have changed as APT28 has access to an extensive infrastructure and resources.
The advisory also includes detection rules and recommendations for network and systems architecture and configuration changes, identity and access management and hardening steps for IP cameras.
No Responses