Warnings issued concerning widespread cyber attacks originating from Russia, focusing on vulnerable points in critical national infrastructure
In a concerning development, Russia-linked cyberattackers are continuing to exploit known vulnerabilities that the U.S. government has warned organisations to patch, as part of an ongoing campaign to target global critical infrastructure and key resource sectors.
The Russia-backed group, believed to be the military intelligence service GRU's Unit 26165, is actively conducting sophisticated cyber operations, primarily focusing on Western logistics, technology companies, government organisations, and private-sector firms linked to military support for Ukraine.
The targets of these operations extend to logistics providers across air, sea, and rail transportation modes, technology companies, internet-connected devices such as cameras in Ukraine and bordering NATO countries, government bodies, and private firms facilitating military and security support for Ukraine.
The GRU employs malware like “Authentic Antics,” designed to steal Microsoft Outlook credentials and tokens, enabling stealthy, long-term access to email accounts for espionage and data exfiltration without detection.
These cyber operations aim to destabilise European security, undermine Ukraine's sovereignty, and threaten the safety of NATO citizens. They serve Russia’s foreign policy and military objectives by conducting espionage, sabotage, and information theft to support its ongoing military campaigns.
The UK’s National Cyber Security Centre (NCSC) and NATO have publicly attributed these cyber threats to the GRU, imposing sanctions on implicated individuals and units. They emphasise the need for a coordinated allied response to mitigate and counter growing Russian cyber hostility.
The latest activities are an extension of the Russia-backed group's use of WhisperGate malware targeting Ukrainian victim organisations in early 2022. U.S. cyber authorities have been warning about more sophisticated and dangerous activities tied to Russia.
The threat group's activities have accelerated after Russia invaded Ukraine in February 2022. The attackers have defaced victim websites, scanned infrastructure, and exfiltrated and leaked stolen data. The threat groups are targeting government services, financial services, transportation systems, energy, and healthcare sectors of NATO members and countries in Europe, Central America, and Asia.
To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional EU countries. The primary objective remains to disrupt international aid to Ukraine. These cyber actors commonly attempt to exploit weaknesses in internet-facing systems, according to authorities.
Russia-linked hackers have also been observed attacking Microsoft's internal systems starting in late November and stealing credentials for federal agencies. The threat group is primarily attempting to disrupt international aid to Ukraine, and the attackers are using exploited vulnerabilities for objectives critical infrastructure providers may not expect.
U.S. and international cyber authorities have observed active exploits of critical vulnerabilities in Atlassian Confluence Server and Data Center, Dahua IP cameras, and Sophos Firewalls. Threat groups have obtained active exploit scripts for critical vulnerabilities in products from Atlassian, Microsoft, and Red Hat, but not exploited them as of yet.
The Russia-backed group is known to use Virtual Private Networks (VPNs) to anonymize their operational activity. It is crucial for organisations to stay vigilant, patch known vulnerabilities, and implement robust cybersecurity measures to protect against these persistent threats.
- The continuous Russia-linked cyberattacks, originating from the GRU's Unit 26165, are focusing on exploiting known vulnerabilities in technology companies, firewalls such as Sophos, and internet-connected devices like Dahua IP cameras.
- The GRU's malware, like "Authentic Antics," poses a threat to cybersecurity by stealing email credentials for espionage and data exfiltration, often without detection.
- In response to these threats, the UK’s National Cyber Security Centre (NCSC), NATO, and other cyber authorities have emphasized the importance of a coordinated allied response to counter Russia's growing cyber hostility.
- As cyber conflicts intersect with political and military affairs, these Russia-linked cyberattacks serve Russia's objectives in war-and-conflicts, particularly in destabilizing European security, undermining Ukraine's sovereignty, and threatening NATO citizens. General news outlets have reported on the increased frequency of such attacks, particularly since Russia invaded Ukraine in February 2022.
