UK exposes Russian cyber campaign targeting Ukraine aid

The UK has unveiled what it describes as a “malicious cyber campaign” orchestrated by a Russian military unit, specifically targeting organizations delivering foreign assistance to Ukraine.

A joint investigation with allies including the US, Germany, and France, and led by the UK’s National Cyber Security Centre (NCSC), identified GRU Unit 26165, also known as “Fancy Bear,” as the culprit behind attacks since 2022.

The campaign has focused on public and private organizations providing defence, IT services, and logistics support to Ukraine. A particularly concerning aspect of the attacks involved gaining access to internet-connected cameras near Ukrainian borders, which monitored aid shipments.

The report estimates that approximately 10,000 cameras near “military installations, and rail stations” were accessed to track the movement of materials into Ukraine, with hackers even exploiting “legitimate municipal services, such as traffic cams.”

Paul Chichester, NCSC Director of Operations, emphasized the gravity of the threat: “This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine.” He urged organizations to “familiarise themselves with the threat and mitigation advice.”

John Hultquist, chief analyst at Google Threat Intelligence Group, added that anyone involved in moving goods into Ukraine “should consider themselves targeted” by Russian military intelligence, noting that such incidents “could be precursors to other serious actions.”

Fancy Bear, a notorious hacking team with a history of high-profile breaches, including the 2016 cyber-attack on the US Democratic National Committee, employed a combination of sophisticated techniques.

These included guessing passwords, spearphishing (sending fake emails to specific individuals to steal login details or install malicious software) and exploiting vulnerabilities in Microsoft Outlook through specially crafted calendar invitations.

Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, noted these techniques have been “a staple tactic of this group for over a decade.” He added that camera access “would assist in the understanding of what goods were being transported, when, in what volumes and support kinetic [weapons] targeting.”

Robert M. Lee, CEO of cybersecurity firm Dragos, warned that the hackers not only sought a foothold in corporate networks, but also infiltrated industrial control systems to “steal important intellectual property and insights for espionage, or position themselves for disruptive attacks.” The exposure of this campaign underscores the persistent and evolving nature of state-sponsored cyber threats.

BBC