Russian GRU Targets Western Logistics and Defense Supply Chains for Ukraine Intelligence
A joint government advisory says Russia’s GRU Unit 26165, also tracked as APT28 or Fancy Bear, has run a sustained cyberespionage campaign against Western logistics providers, technology companies, and defense supply-chain organizations supporting aid flows to Ukraine. The activity has affected entities in the United States, Germany, Poland, France, and Ukraine, with intrusions aimed at transportation networks, IT services, and military-related logistics. Officials said the operators also sought visibility into aid movements by compromising internet-connected IP cameras positioned near border crossings, rail hubs, and military facilities.
Authorities linked the campaign to long-running GRU tradecraft previously used against governments, militaries, defense contractors, and cloud and email environments including Microsoft Office 365 and on-premises Exchange. Reported access methods include password spraying, brute-force and credential-guessing attacks, spearphishing, exploitation of known vulnerabilities including CVE-2020-0688 and CVE-2020-17144, and the use of malware such as HEADLACE and MASEPIE, alongside web shells, Tor, VPNs, and living-off-the-land techniques to persist and exfiltrate data. Agencies warned the espionage effort remains active and urged organizations to enforce MFA, patch exposed systems, tighten access controls, monitor for lateral movement, and review supply-chain risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Joint advisory warns of ongoing GRU campaign against logistics sector
A joint cybersecurity advisory disclosed the ongoing GRU campaign against Western logistics and technology organizations supporting aid flows to Ukraine, including the use of credential attacks, spearphishing, exploitation of known vulnerabilities, and malware such as HEADLACE and MASEPIE. The advisory also warned that the actors were targeting internet-connected IP cameras near border crossings, rail stations, and military facilities to monitor aid movements.
Russian GRU begins targeting Western logistics and tech firms aiding Ukraine
A cyber campaign attributed to Russian GRU Unit 26165 (APT28/Fancy Bear) began targeting Western logistics entities and technology companies involved in coordinating, transporting, and delivering foreign assistance to Ukraine. The activity also affected transportation, IT services, and defense industrial base organizations in multiple countries.
US and UK disclose global GRU cyberespionage campaign
The United States and United Kingdom publicly warned of a Russian cyberespionage campaign targeting hundreds of organizations worldwide, especially US and European governments, militaries, and defense contractors. A joint advisory attributed the activity to GRU Unit 26165/APT28 and described attacks on Microsoft Office 365 and on-premises Exchange using password spraying, brute force, and exploitation of CVE-2020-0688 and CVE-2020-17144.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Russian GRU Cyber Campaign Targets Western Logistics Firms
thecyberexpress.com
Open sourceUK Exposes APT 28’s AUTHENTIC ANTICS Malware Campaign
cyble.com
Open sourceRussian GRU targeting Western logistics entities and technology companies | Cyber.gov.au
cyber.gov.au
Open sourceUS, UK Warn Of New Worldwide Russian Cyberespionage - Breaking Defense
breakingdefense.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28 Reuses Old Access and Roundcube Exploits Against Ukrainian Institutions
Ukrainian officials warned that Russia-linked hackers are revisiting earlier compromises to regain access to government and defense networks, testing whether old footholds, unpatched vulnerabilities, and previously stolen credentials still work. CERT-UA said the activity reflects a broader shift from smash-and-grab credential theft toward persistent access, with initial intrusion methods also evolving beyond phishing to more tailored social engineering, including phone calls and video chats in fluent Ukrainian before malicious files are delivered through messaging apps. Agencies tied the activity to groups including **APT28** and **Void Blizzard**, with the security and defense sector remaining the top target because disruptions there could affect the war effort. Ukraine also confirmed a long-running cyber-espionage campaign, tracked since 2023 and attributed by Western researchers to **APT28** (`Fancy Bear`, `BlueDelta`, `Forest Blizzard`), that targeted prosecutors, anti-corruption bodies, and other local government entities through **Roundcube** webmail vulnerabilities enabling code execution when a victim opened an email. Reuters reported that more than 170 email accounts belonging to prosecutors and investigators were compromised in recent months, and CERT-UA identified three waves of related attacks. Officials said some allegedly stolen material was later published online, though reviews indicated the leaks likely did not include confidential data, and warned the operation could still be used to fuel disinformation aimed at eroding trust in Ukrainian institutions.
Apr 24, 2026
Google Warns of Escalating State-Backed Cyber-Espionage Targeting Europe’s Defense Industrial Base
Google’s Threat Intelligence Group reported an intensifying, state-backed cyber-espionage campaign against **Western defense companies**—particularly across Europe—describing a “constant, multi-vector siege” aimed at stealing sensitive R&D, disrupting production, and gaining insight into next-generation battlefield systems. The report highlights **drone manufacturers and advanced weapons developers** as priority targets, with **Russia-linked activity** emphasized in the context of the war in Ukraine and a focus on unmanned aircraft technologies and their suppliers. Google attributed one phishing campaign to **UNC5976**, which used **malicious Remote Desktop Protocol (RDP) files** and **spoofed domains** impersonating defense firms across multiple countries. Google assessed that multiple state actors—**Russia, Iran, China, and North Korea**—are leveraging a broad set of access paths, including exploitation of **hiring processes**, **personal accounts**, and **remote work** environments, while smaller manufacturers and adjacent suppliers are also seeing **extortion attempts**, indicating widening supply-chain pressure. Separate reporting also described leaked documents indicating China has used a training platform (*Expedition Cloud*, developed by CyberPeace) to rehearse critical-infrastructure intrusions against neighboring countries by building network “templates” of targets and running reconnaissance-to-attack drills, underscoring the operational maturity and preparation that can translate into real-world campaigns against high-value sectors such as defense and critical infrastructure.
Mar 21, 2026
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026