A state-sponsored cyber threat campaign attributed to APT28 (BlueDelta, Fancy Bear, or Forest Blizzard) has been targeting Western logistics entities and technology companies since 2022. The campaign aims to exploit vulnerabilities in various webmail services, Microsoft Exchange mailbox permissions, and other critical infrastructure.
The attackers use a mix of previously disclosed tactics, tactics, and procedures (TTPs), including password spraying, spear-phishing, and modifying mailbox permissions for espionage purposes. Initial access is gained through brute-force attacks, spear-phishing, or exploiting vulnerabilities in webmail services.
Once inside, the attackers conduct reconnaissance to identify additional targets and exfiltrate sensitive information using tools like Impacket, PsExec, and Remote Desktop Protocol (RDP). They also utilize malware families like HeadLace and MASEPIE to establish persistence on compromised hosts.
The primary targets of the campaign include organizations within NATO member states and Ukraine, spanning defense, transportation, maritime, air traffic management, and IT services verticals. The attackers have relied on different methods based on the victim environment, often utilizing PowerShell commands or Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to siphon information from email servers.
The U.K. and partners have raised awareness of the tactics being deployed by APT28, urging targeted organizations to take necessary precautions to mitigate the risk.
Source: https://thehackernews.com/2025/05/russian-hackers-exploit-email-and-vpn.html