An extensive report, published by the Polish authorities at the end of May, reveals the size of a Russian cyber campaign in silence for over three years. Target: Logistic chains that feed Ukraine with Western military aid.
Weapons to Ukraine/Photo: Archive
According to the conclusions made by the Poland Military Counterinformation Service (SKW) and the Internal Security Agency (ABW), Russia – through the GRU 26165 military unit, also known as APT28 or “Fancy Bear” – has carried out complex cyber attacks on critical infrastructure from several NATO states, says Euromaidans.com.
Among the targets of the attacks: Logistics nodes in Poland, border crossing points and companies in the field of transport, telecommunications and IT. The objective: obtaining strategic information on the flow of equipment and ammunition to Ukraine.
GRU operation with extended logistics and computer support
The campaign, initiated immediately after the outbreak of Russian invasion in February 2022, has exploited already known computer vulnerabilities – such as Microsoft Outlook or Winrar – as well as security breaches in Remote Desktop and video cameras connected to the Internet.
The GRU unit involved – 85th Main Special Service Center – has mainly targeted logistics companies, airports, maritime ports, air traffic management, but also IT networks of government institutions and private companies in Poland, Ukraine, Germany, France, Italy, Romania, Slovakia and the USA.
The report was developed in collaboration with institutions of intelligence and cyber security in the United States (NSA, FBI), UK, Germany, Canada, France, Estonia, Czech Republic and other European states.
Discrete infiltration, long -lasting access
The attacks were built on spearphishing techniques-personalized emails that mimic official correspondences to deceive employees to provide access data. Once you enter the system, attackers used dedicated privilege and malware tools (headlace, masepie) to maintain access and extract documents, credential and information on military transport.
In many cases, attacks were impossible to detect Monday or even years, GRU using legitimate but vulnerable applications to move laterally in compromised computer networks. Windows infrastructure-especially field controllers and active Directory databases-was the favorite target.
Supervisory rooms, transformed into eyes of GRU
One of the most disturbing elements revealed by the report is the massive use of the civil video cameras connected to the Internet. According to SKW, over 10,000 such devices – from Poland, Ukraine, Slovakia, Romania and other states in the region – were accessed by GRU using unsecured default passwords or protocols. The images obtained in real time allowed the mapping of the transport routes of the convoys with military or humanitarian aid.
This type of passive espionage, almost invisible, offers a considerable operational advantage of Russia, especially in the context in which many of these logistics are not traditionally considered military targets.
Various Targets: From Manufacturers of Railway Equipment to IT companies
The report identifies victims from a wide range of sectors:
-the transport and logistics components involved in the delivery of military equipment;
-Air Traffic Management Services and Radar Communications;
-IT service facilities;
-maritime and port infrastructure;
-producers of industrial control systems and administrators of railway lines.
Many of the affected companies were not aware of unauthorized access. In some cases, the attackers modified the rules for redirecting the emails or scheduled automatic tasks to re-infect the systems after each security update.
International Response and Strict Security Recommendations
In addition to the diagnosis of the GRU campaign, the report contains over 40 pages of technical recommendations. Among the most important proposed measures:
-the immediate application of the patch for known vulnerabilities;
-the implementation of the multifactor authentication and the principle of “the smallest privilege”;
-Aditing all remote access applications and emails redirect rules;
-Deactivating insecure protocols such as Telnet, SMBV1 or RTSP;
-Immediate change of default passwords and updating the firmware of the surveillance cameras.
Poland's call: “Assume you are a target”
In a public statement, the Digitalization Minister of Poland, Krzysztof Gawkowski, warned that the cyber space is now a true battlefield, and companies and institutions in NATO countries must assume that they are targeted by Russian services.
“We must talk openly about these attacks. It is our responsibility to inform, prevent and build real resilience – together, beyond borders.”
