Russian Hackers Exploit Surveillance Systems to Track Military Aid

A complex cyber espionage campaign, attributed to the Russian military intelligence service, specifically Unit 26165 (also known as APT28 or Fancy Bear), has been uncovered targeting the logistical networks responsible for delivering cargo to Ukraine from NATO countries. The group employed phishing tactics, including the use of sexually explicit content and fabricated official communications, to gain unauthorized access to surveillance systems.

Infiltration Tactics: From Phishing to Camera Access

According to a western intelligence document, APT28’s objectives extended beyond merely infiltrating logistics firms. The group allegedly leveraged compromised systems to access private security cameras in strategically important locations. These included border crossings, military installations, and railway hubs, enabling them to monitor the movement of supplies destined for Ukraine. furthermore, they reportedly exploited municipal infrastructure, such as road traffic monitoring cameras, to enhance their surveillance capabilities.

The members of the Units 26165 not only tried to infiltrate logistics business systems, but also most likely used access to private organizations for cameras in important places such as border crossing points, military bases and railway stations to track material transport to Ukraine. They also used municipal systems,such as the Road Traffic Supervision Cameras.

Western Intelligence Document

Scale of the Breach: Thousands of Cameras Compromised

The extent of the breach is meaningful, with hackers gaining access to approximately 10,000 cameras. A significant majority,around 80%,were located within Ukraine.The remaining compromised cameras were distributed across several countries involved in supporting Ukraine, including Romania (10%), Poland (4%), Hungary (2.8%), and Slovakia (1.7%).This widespread access provided APT28 with a comprehensive view of supply routes and potential vulnerabilities.

Beyond Surveillance: Targeting Sensitive Data and IT Infrastructure

In addition to visual surveillance, the hackers sought to obtain sensitive data related to shipments, such as invoices and train schedules. Intelligence reports indicate that APT28 even attempted voice phishing attacks to compromise IT employees’ accounts, highlighting their determination to gain deeper access to critical systems. This multi-pronged approach underscores the sophistication and persistence of the cyber espionage campaign.

Cybersecurity Agencies Issue Warnings

The United Kingdom’s National Cyber Security Centre (NCSC) has issued a strong warning about the risks posed by this malicious campaign. Paul Chichester, Director of Operations at the NCSC, emphasized the serious threat to organizations involved in assisting Ukraine and urged them to review their security protocols and implement mitigation strategies. This warning comes amidst growing concerns about the vulnerability of critical infrastructure to state-sponsored cyberattacks.

This malicious campaign of the Russian military intelligence service poses a serious risk to organizations on wich attacks, including those involved in assistance to Ukraine. We encourage the organizations to review the threat and reduction of this manual to help protect their networks.

Paul Chichester, Director of Operations, UK National Cyber Security Centre

Broad Targeting: Logistics, Defense, and Critical Infrastructure at Risk

Western intelligence agencies caution that APT28’s targets extend beyond organizations directly involved in assisting Ukraine. The group’s objectives also include logistics and technology companies, defense contractors, IT firms, seaports, airports, and air traffic control systems within NATO member states. This broad targeting highlights the potential for widespread disruption and the need for heightened vigilance across various sectors.