Top security agencies across the United States and several of its European allies issued a joint cybersecurity advisory calling attention to a Russian state-sponsored cyber campaign targeting Western logistics companies and technology firms.
A unit of Russia’s primary foreign military intelligence agency, the Russian General Staff Main Intelligence Directorate (GRU), has carried out the attacks on dozens of entities including those involved in the coordination, transport and delivery of aid to Ukraine.
Related Stories
The GRU unit cyber campaign has targeted government organizations and private/commercial entities across air, sea, and rail.
Among those identified include firms in the defense industry, transportation hubs such as ports and airports, the maritime industry, air traffic management and IT services.
No companies have been explicitly named in the advisory. According to the report, the cyberattacks began escalating in late February 2022 at the start of Russia’s invasion of Ukraine.
Western logistics operates a minimal business footprint in Russia. Since the start of the Russia-Ukraine war, many Western companies ceased working with or severely limited their business with Russia, including logistics firms like Amazon, FedEx, UPS, DHL, Maersk, Hapag-Lloyd and CMA CGM.
Countries with targeted entities include the U.S., Ukraine, Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania and Slovakia.
The bad actors’ cyber espionage-oriented campaign uses a mix of previously disclosed tactics, techniques and procedures (TTPs) including credential guessing, reconstituted password spraying capabilities, sending targeted “spearphishing” emails including links to fake login pages, and modifying Microsoft Exchange mailbox permissions.
The advisory urged at-risk organizations to recognize the “elevated” threat, indicating that they should increase monitoring and threat hunting for known TTPs and indicators of compromise to defend against more potential cyberattacks.
The security coalition listed recommendations for general security mitigations, including employing network segmentation and restrictions to limit access; considering verification-reliant “zero trust” principles when designing systems; blocking logins from public VPNs; and collecting and monitoring Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Additional measures were recommended to mitigate against common credential theft techniques, including reducing reliance on passwords in favor of services like single sign-on, and using multi-factor authentication with strong factors like passkeys encrypted smartcards.
According to a CrowdStrike’s 2024 Threat Hunting Report, which measures cyberattacks taking place between July 2023 and June 2024, technology is the top sector by intrusion frequency. On a year-over-year basis, cyberattacks escalated 60 percent.
As early as March 2022, the GRU also targeted Internet-connected cameras at Ukrainian border crossings, military installations and railroad stations to monitor and track aid shipments. Eighty-one percent of the targeted attempts were in Ukraine, while another 9.9 percent took place in Romania and 4 percent were in Poland.
The actors targeted real-time streaming protocol servers hosting the cameras in a large-scale campaign, which included attempts to enumerate devices and gain access to the cameras’ feeds.
To defend against this malicious activity, the advisory recommended applying security patches and firmware updates to all IP cameras, disabling remote access and using a firewall to prevent communication with the camera from IP addresses not on an allowlist.
Organizations who co-authored the advisory include the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) in the U.S., the U.K.’s National Cyber Security Centre, as well as intelligence bureaus from Germany, Canada, Australia and France, among others.
In March 2022, U.S. freight forwarder Expeditors International was hit by a cyberattack, forcing the company to temporarily halt operations for eight days. The company spent $65 million in extra costs related to the security breach.
More recently, cyberattacks have been a thorn in the side of retailers, with Adidas confirming Tuesday that certain customer data was stolen through a third-party customer service provider.
While the athleticwear and footwear seller said it took steps to contain the incident, the extent of the breach is unknown.
Earlier this month, U.K.-based retailers including Harrod’s, Marks & Spencer and the Co-op Group experienced their own cyberattacks, with M&S suffering the biggest impact. Online shopping has been severely hampered at the retailer due to outages to its website that are expected to last into July.
As a result, Marks & Spencer will take a profit hit in 2025 at around 300 million pounds ($404 million).
Luxury sellers are not immune, with Dior confirming its own breach, in which unauthorized parties access data from customers in regions like South Korea and China. The breach primarily affected contact information, purchase history and preference data, but not bank details or credit card information.
