The National Cyber and Information Security Agency (NÚKIB), together with the Security Information Service and Military Intelligence of the Czech Republic, has joined partners from the United States, the United Kingdom, Germany, Poland, Australia, Canada, Denmark, Estonia, France, and Netherlands in issuing the advisory about a long-term cyber campaign conducted by Russia-backed actors. These attacks are primarily targeting logistics and technology companies involved in foreign aid to Ukraine.
The campaign is being conducted by a unit of Russian military intelligence known as GRU No. 26165 (also referred to as Fancy Bear and Forrest Blizzard, among other names). This group has been carrying out espionage operations for over two years against entities in the defence and transportation sectors, including air, maritime, and rail transport. They also target government institutions and commercial companies in NATO member states, Ukraine, and neighbouring countries.
The attackers use well-known tactics such as password spraying, targeted phishing emails, changes to mailbox settings in Microsoft Exchange environments, and exploitation of software vulnerabilities, including Outlook (NTLM) and WinRAR. These methods allow them to gain access to systems, where they then install malware to maintain persistence and steal data.
Unit 26165 also actively monitored the transport of aid to Ukraine by accessing IP cameras located at border crossings, railway hubs, and other strategic points. As part of the observed campaign, they primarily targeted IP cameras using the RTSP protocol, employing publicly known default login credentials or brute-force techniques to gain access. The collected data included static images and metadata from the cameras.
An analysis of more than 10,000 targeted cameras revealed that the majority (81%) were located in Ukraine. Others were found in Romania, Poland, Hungary, and Slovakia.
GRU actors also focused on individuals responsible for coordinating transportation and companies cooperating with the targeted organizations. They exploited trusted business relationships to further infiltrate target networks. They also identified entities involved in the production of components for industrial control systems (ICS), which are used, for example, in railway transport.
The report warns that these activities are likely to continue. Technology and logistics companies, as well as organizations in the transportation sector, should therefore strengthen monitoring, actively hunt for signs of compromise (threat hunting), and implement appropriate protective measures against these sophisticated threats. Indicators of compromise, along with the attackers’ tactics and techniques, can be found in the full version of the document here.