UK exposes Russian cyber campaign targeting support for Ukraine

The UK has exposed what it says is a "malicious cyber campaign" targeting multiple organisations, including those involved in delivering foreign assistance to Ukraine

After a joint investigation with allies including the US, Germany and France, the UK's National Cyber Security Centre (NCSC) said a Russian military unit had been targeting both public and private organisations since 2022.

These include organisations involved in supplying defence, IT services and logistics support.

The security bodies of 10 Nato countries and Australia said Russian spies had used a combination of hacking techniques to gain access to networks.

Some of the targets were internet-connected cameras at Ukrainian borders which monitored aid shipments going into the country.

The report also says a rough estimate of 10,000 cameras were accessed near "military installations, and rail stations, to track the movement of materials into Ukraine.

It adds the "actors also used legitimate municipal services, such as traffic cams."

The Russian military unit blamed for the espionage is called GRU Unit 26165 but goes by a number of informal names, including Fancy Bear.

The notorious hacking team is known to have previously leaked World Anti-Doping Agency data, and played a key role in the 2016 cyber-attack on the US's Democratic National Committee, according to security experts.

"This malicious campaign by Russia's military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine," Paul Chichester, NCSC Director of Operations, said in a statement.

"We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks," he added.

Anyone involved in moving goods into Ukraine "should consider themselves targeted" by Russian military intelligence, John Hultquist, chief analyst at Google Threat Intelligence Group, said.

"Beyond the interest in identifying support to the battlefield, there is an interest in disrupting that support through either physical or cyber means," he said.

"These incidents could be precursors to other serious actions."

The joint cyber-security advisory said Fancy Bear had targeted organisations linked to critical infrastructure including ports, airports, air traffic management and the defence industry.

These were in 12 mainland European countries and the US.

The hackers used a combination of techniques to gain access, the report said, including guessing passwords.

Another method used is called spearphishing, where fake emails are targeted at specific people who have access to systems.

They are presented with a fake page where they enter their login details, or encouraged to click a link which then installs malicious software.

"The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes," the report said.

A vulnerability in Microsoft Outlook was also exploited to collect credentials "via specially crafted Outlook calendar appointment invitations".

These kinds of techniques have been "a staple tactic of this group for over a decade," Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, said.

Camera access "would assist in the understanding of what goods were being transported, when, in what volumes and support kinetic [weapons] targeting," he added.

Cyber security firm Dragos told the BBC it had been tracking hacking activity linked to that reported by the NCSC.

It's chief executive Robert M. Lee said that the hackers it followed were not only interested in gaining a foothold in corporate computer networks but would infiltrate industrial control systems where they would be able to "steal important intellectual property and insights for espionage, or position themselves for disruptive attacks".

Sign up for our Tech Decoded newsletter to follow the world's top tech stories and trends. Outside the UK? Sign up here.