Tenable Comment on ACSC’s joint advisory: Russian GRU targeting Western logistics entities and technology companies

Exposure Management | Security Operations | Threat Intelligence

Issued on 22 May 2025, a joint advisory from ASD’s ACSC, CISA, NSA, FBI and more than a dozen allied agencies warning that Russia’s GRU Unit 26165 (APT28/Fancy Bear) has been spying on Western logistics and technology firms supporting aid to Ukraine since 2022, using password-spray and spear-phishing campaigns plus exploits for Outlook, WinRAR, Roundcube […]

Posted: Friday, May 23

KBI.Media
$
Tenable Comment on ACSC’s joint advisory: Russian GRU targeting Western logistics entities and technology companies

Tenable Comment on ACSC’s joint advisory: Russian GRU targeting Western logistics entities and technology companies

Issued on 22 May 2025, a joint advisory from ASD’s ACSC, CISA, NSA, FBI and more than a dozen allied agencies warning that Russia’s GRU Unit 26165 (APT28/Fancy Bear) has been spying on Western logistics and technology firms supporting aid to Ukraine since 2022, using password-spray and spear-phishing campaigns plus exploits for Outlook, WinRAR, Roundcube and unpatched VPN paths. The group has breached or probed ports, airports, rail hubs, maritime services and IT providers across NATO countries, the United States and Ukraine to monitor shipment schedules and potentially disrupt deliveries. The agencies urge affected sectors to presume targeting, hunt for the published IOCs, patch urgently, enforce hardware-backed MFA on privileged accounts, segment networks and block inbound logins from public VPNs and TOR exit nodes. Please find below a comment from Satnam Narang, senior staff research engineer at Tenable offering more insight into the Fancy Bear group.

–

“The military unit 26165 of the Russian GRU, notably referred to under a variety of threat actor names including APT28, Fancy Bear, Forest Blizzard and others, has been operating for well over a decade, targeting various organisations and government institutions across the world. The most recent joint cybersecurity advisory, authored and co-sealed by 21 agencies from the U.S, Germany, Czech Republic, Poland, Australia, Canada, Estonia, Denmark, France and the Netherlands, highlights activity associated with APT28 over the last two years. Specifically, detailing the various tactics and techniques utilised in campaigns that include espionage and influence primarily against targets in the logistics and technology sectors.

“APT28, as an advanced persistent threat actor, utilises a number of ways to gain initial access into target environments, targeting credentials and exploiting vulnerabilities. Once inside their desired networks, they focus on maintaining persistence and deploy different malware, including backdoor malware named HEADLACE and OCEANMAP, downloader trojans named MASEPIE, and data-harvesting malware named STEELHOOK. For espionage-related attacks, stealth is key, so finding ways to exfiltrate data using malware is one way, but it has also become increasingly important for threat actors to utilise what is known as living off the land (LOTL) binaries, which utilise built-in system tools to prevent red flags from being raised.

“There is immense value in understanding how attackers operate and leveraging indicators of compromise and identifying weaknesses, such as accounts with weak credentials that can be brute-forced or guessed, adopting principles of least privilege, and making sure that known vulnerabilities are patched in a timely manner are some of the key ways organisations can put themselves in the best position to defend against such attacks. However, it is important to remember that the ‘P’ in APT highlights the persistence of these attackers, so while these defensive measures are key, it is also vital that organisations have a proper incident response playbook in place to identify and respond to attacks quickly.” — Satnam Narang, senior staff research engineer, Tenable