In a significant escalation of cyber warfare tactics, Russian military intelligence unit 26165, operating under the moniker APT28 (Fancy Bear), has launched an extensive two-year cyber espionage campaign targeting organizations supporting Ukraine’s defense efforts. The campaign, clearly linked to Russia’s war in Ukraine by eleven Western nations, has intensified since February 2022 as Russian military objectives faltered on the ground.
The sophisticated operation directly targets logistics entities, technology companies, and defense contractors involved in coordinating foreign assistance to Ukraine. Transportation facilities, maritime operators, and air traffic control systems have faced increased cyber threats through a combination of spear-phishing emails, brute-force password cracking, and exploitation of vulnerabilities in Microsoft Outlook and other software programs. The cyber unit was previously responsible for the 2015 Bundestag hack that resulted in EU sanctions. The group maintains persistence through scheduled tasks and run keys to ensure long-term access to compromised systems.
APT28’s technical approach utilizes previously disclosed tactics, techniques, and procedures (TTPs), including the deployment of METASPLOIT malware after initial system compromise. The group has exploited seven critical Common Vulnerabilities and Exposures (CVEs), as well as utilizing PowerShell commands hidden within clipboard content as an initial access method to breach secured networks.
APT28 leverages known vulnerabilities and PowerShell exploits, deploying METASPLOIT malware to infiltrate secured networks through sophisticated breach tactics.
The campaign’s surveillance tactics have expanded to include hacking internet-connected cameras at Ukrainian border crossings and in neighboring NATO nations. This thorough monitoring of logistics routes and supply chains has been complemented by extensive data theft operations following system compromises, enabling Russian intelligence to track aid shipments and movement patterns.
In response, a coalition of Western nations has issued a joint cybersecurity advisory (CSA), including participation from the FBI, NSA, CISA, and cybersecurity agencies from Australia, Canada, and seven European countries.
Alert AA25-141A, released by CISA on May 21, 2025, provides detailed indicators of compromise and recommends that network defenders operate with a presumption of targeting. Organizations are advised to implement increased monitoring and threat hunting procedures, particularly focusing on known TTPs associated with APT28’s espionage-oriented campaign.
