Russia’s cyber forces are going after more than just digital targets—they’re tracking the real-world movement of aid. This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert with allies in the UK, Germany, and NATO. The message: Russian hackers targeting Western supply-lines are now a serious threat.
CISA singled out Unit 26165—better known as Fancy Bear or APT28. These military hackers, linked to Russia’s GRU, are focusing on companies that move weapons, aid, and supplies into Ukraine. That includes shipping firms, rail networks, air traffic systems, and the IT vendors who support them.
The hackers’ playbook is clear: gain access, stay hidden, and steal what matters most. One top objective is shipping manifests. These reveal train schedules, container numbers, and exact delivery times. With this data, Moscow can track every shipment bound for Ukraine.
According to CISA, this campaign began in early 2022 and has ramped up since. So far, at least 13 NATO countries, the U.S., and Ukraine have seen confirmed victims.
Once inside, the attackers move fast. They often start with password spraying or spear-phishing. Then they exploit known software bugs—like flaws in Microsoft Outlook, Roundcube webmail, and WinRAR. In some cases, they launch attacks from compromised routers in home offices.
From there, it escalates. They steal large volumes of email using Exchange mailbox permissions. They pivot inside networks using tools like Impacket and PsExec. To stay hidden, they deploy malware such as HEADLACE and MASEPIE.
The intrusions don’t stop with shipping data. CISA says the hackers also scan for cybersecurity team contacts, transport coordinators, and partner companies. They want access to the entire supply chain.
In one alarming twist, Russian intelligence even hijacked thousands of IP cameras at rail yards and border crossings. This gave them a live feed of aid convoys as they moved.
CISA is urging all logistics and technology companies to act now. Steps include enabling phishing-resistant MFA, patching Outlook, Roundcube, and WinRAR vulnerabilities, and locking down exposed devices.
The agency warns: assume you’re already a target. Boost monitoring. Hunt for signs of compromise. And review identity controls across all systems.
The bottom line? Russia is using its cyber units to track and disrupt Western support for Ukraine. Companies in the logistics chain must treat this as a direct threat—not just to data, but to global stability.
