On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), alongside 20 allied intelligence and cyber defense agencies across the U.S., EU, UK, and NATO states, issued a critical joint cybersecurity advisory (AA25-141A) revealing a persistent Russian state-sponsored cyber campaign orchestrated by the GRU’s 85th Main Special Service Center, also known in cybersecurity circles as APT28, Fancy Bear, or BlueDelta.
This espionage-focused campaign has been ongoing since early 2022 and is primarily aimed at Western logistics providers and technology firms—especially those connected to the coordination and delivery of foreign aid to Ukraine. The scope of the operation includes targeting air, maritime, and rail logistics infrastructure, as well as technology firms providing support or coordination tools.
Sophisticated Tactics with Clear Strategic Objectives
The attackers have demonstrated a high degree of sophistication in their methods, combining traditional spearphishing and credential harvesting with exploitation of known software vulnerabilities. Among the CVEs leveraged in the campaign are:
- CVE-2023-23397 (Microsoft Outlook NTLM leak),
- CVE-2023-38831 (WinRAR code execution),
- Several Roundcube Webmail vulnerabilities (used for code execution and credential theft).
The GRU’s unit 26165 established initial access through spearphishing campaigns, often tailored to the target’s native language and masquerading as government or logistics-themed content. Malicious payloads were hosted on legitimate but compromised infrastructure and frequently redirected through proxy networks using services like Dynu, InfinityFree, and Mocky.
Once inside the target network, the actors moved laterally using living-off-the-land binaries (LOLBins) such as PsExec and tools like Impacket. They also manipulated mailbox permissions to set up long-term surveillance of email traffic and exfiltrated data using encrypted protocols like EWS and IMAP.
What Was Targeted and Why
The campaign specifically focused on:
- Defense logistics firms operating air, rail, and maritime transport,
- Air traffic control and maritime traffic systems,
- IT service providers supporting these sectors,
- Industrial control system (ICS) components for rail infrastructure.
Entities in countries such as Germany, France, Poland, Italy, Netherlands, Romania, Slovakia, the U.S., and Ukraine were among those targeted. In many cases, the attackers exploited trust relationships, pivoting from one compromised partner to another.
The exfiltrated data included shipping manifests, cargo details, schedules, departure/destination information, and even container registration numbers—information with both tactical and strategic military relevance in the context of Ukraine.
IP Camera Espionage: A New Layer of Threat
One of the most concerning revelations is that the GRU’s campaign also targeted IP cameras, particularly those located at border crossings, military sites, and transport hubs. Using RTSP protocol enumeration and credential brute-forcing, attackers attempted to gain live access to camera feeds.
Over 80% of these targeted devices were located in Ukraine, with others in Poland, Romania, and Hungary. This tactic allowed the GRU not only to collect network intelligence, but to observe real-time aid movements—a direct threat to operational security.
CISO Priorities: Defense Actions and Recommendations
For CISOs and security teams, this advisory should trigger immediate reassessment of exposure, particularly in environments tied to transportation, logistics, and critical infrastructure. CISA and its partners recommend the following urgent mitigations:
1. Patch Management and CVE Monitoring
- Immediately apply patches for Outlook, WinRAR, and Roundcube.
- Disable or monitor NTLM connections externally.
- Conduct CVE-specific threat hunting using MITRE ATT&CK and D3FEND mappings.
2. Email and Identity Protections
- Enforce MFA (preferably hardware-based) on all privileged accounts.
- Audit mailbox delegate permissions for unauthorized changes.
- Block use of personal or free email accounts for official business.
3. Zero Trust and Network Segmentation
- Assume breach posture: segment internal networks by zone.
- Log and alert on lateral movement attempts (especially PsExec, RDP).
- Monitor outbound traffic to known malicious DNS domains (e.g., *.mocky.io, *.infinityfreeapp.com).
4. IP Camera Hardening
- Disable remote access if unnecessary; enable firewall rules to allow only local access.
- Change default credentials and enforce MFA for access portals.
- Disable UPnP and review ports and services in use.
5. Threat Hunting and Anomaly Detection
- Search for indicators of compromise (IOCs) related to HEADLACE and MASEPIE malware.
- Use YARA rules provided by the advisory to identify potential persistence mechanisms.
- Monitor for use of PowerShell, VBScript, and scheduled tasks used to maintain footholds.
Strategic Takeaway for CISOs
This campaign underscores a broader evolution in Russian cyber operations: blending traditional espionage with hybrid war support, using both virtual and physical observation capabilities. The targeting of logistics firms aligns directly with Russian military interests in disrupting the flow of Western aid to Ukraine.
Moreover, the campaign reflects a long-term investment by the GRU into exploiting digital infrastructure interdependencies—supply chains, trust relationships, email systems, and even IoT devices.
CISOs should not wait for compromise to act. Proactive exposure management, enhanced email and identity governance, and red-teaming against nation-state TTPs are now fundamental requirements—not optional enhancements.
Full Advisory: CISA AA25-141A (PDF)
Recommended Reading:
- NSA & CISA: Top 10 Misconfigurations in Enterprise Environments
- Microsoft: CVE-2023-23397 Defender Toolkit