Elite Russian hackers, particularly the notorious APT28 group, have intensified their cyberattacks, targeting NATO-aligned logistics and technology firms linked to Ukraine aid efforts. These attackers employ a variety of methods, including brute-force techniques, spear-phishing, and sophisticated malware delivery systems. Recent reports indicate that dozens of organizations across Europe, Ukraine, and the United States have been targeted as part of a broader strategy to gain insight into aid logistics and routes. Social engineering tactics have been increasingly deployed to deceive users into downloading malicious payloads.
Central to these operations is the exploitation of vulnerabilities within email systems. Significantly, APT28 has made use of Microsoft Exchange mailbox permissions and the Outlook NTLM vulnerability (CVE-2023-23397), aiming to secure persistent access to networks critical for aid logistics. Additionally, spear-phishing campaigns have effectively impersonated government agencies and Western cloud email providers, using tactics such as fake login pages to harvest credentials. Furthermore, the group has demonstrated a pattern of targeting Western logistics firms as part of their strategic objectives. Notably, the attackers have leveraged a novel technique involving the use of nearby Wi-Fi networks for lateral movement, which poses new challenges to organizations’ defenses.
APT28 exploits email vulnerabilities, including Microsoft Exchange and NTLM flaws, to gain persistent access for compromising aid logistics.
Apart from email-based intrusions, the group has taken advantage of public vulnerabilities in corporate Virtual Private Networks (VPNs), facilitating unauthorized network access. The exploitation of SQL injection attacks against internet-facing infrastructure has further permitted the interception of communications essential to Ukraine support efforts.
Recent findings have identified additional vulnerabilities, including the WinRAR vulnerability (CVE-2023-38831), which allows for further access escalation within the compromised networks.
Advanced phishing techniques targeting Microsoft 365 accounts are similarly prominent in APT28’s operations. Russian actors have been observed utilizing Microsoft OAuth 2.0 workflows to steal credentials, offering realistic scenarios designed to lower the victim’s guard. One-on-one social engineering interactions via messaging apps have compounded the effectiveness of these phishing attempts.
The geographic focus of these threats spans multiple NATO states, particularly targeting defense contractors and logistics providers. APT28’s operations are consistent with the objectives of Russia’s military intelligence service (GRU) amid the ongoing conflict, indicating a significant risk to the security and logistics of international support channels for Ukraine.
