Russian GRU cyber espionage campaign targets logistics and technology firms supplying Ukraine

In a high-level joint advisory that marks one of the most expansive intergovernmental cyber threat disclosures of the decade, the United Kingdom’s National Cyber Security Centre (NCSC), together with agencies across the United States, Canada, Australia, and the European Union, has formally attributed a long-running and coordinated cyber espionage campaign to Russia’s military intelligence agency—the GRU. Specifically, operations are being conducted by GRU Unit 26165, known in cybersecurity tracking parlance as APT28 or Fancy Bear.

The state-sponsored cyber campaign, active since at least February 2022, has targeted logistics providers, transport infrastructure operators, and enterprise IT service firms in NATO countries that are involved in the delivery of humanitarian and military support to Ukraine. Analysts confirm that the GRU’s operations represent a strategic escalation in hybrid warfare, with the Russian state now systematically penetrating civil infrastructure nodes to extract operational intelligence on Western supply chains.

Why Is Russia Targeting Western Logistics and Tech Firms in 2025?

The exposure of this GRU-led cyber campaign is not just a cybersecurity event—it’s a geopolitical signal that digital infrastructure has become a frontline war asset. Since the early stages of the Ukraine conflict, Russian cyber doctrine has evolved from disruptive attacks like NotPetya toward more targeted, espionage-driven operations intended to monitor and eventually subvert the delivery of foreign aid. The latest advisory reveals that Russian operatives are seeking to gain real-time visibility into logistics operations via credential theft, surveillance camera hijacking, and infiltration of IT networks supporting NATO’s Ukrainian logistics corridor.

In terms of broader business context, this comes at a time when global logistics firms are already under pressure from rising fuel costs, geopolitical choke points like the Suez Canal and Red Sea, and increased regulatory scrutiny around data privacy. Technology vendors in the cloud communications and identity access sectors—such as Okta, Cisco Duo, and Microsoft Azure AD—are also seeing elevated enterprise demand for advanced threat protection tools. The GRU campaign exposes a gaping risk aperture in both sectors that security-conscious investors and enterprise clients are now urgently looking to mitigate.

How Did GRU Unit 26165 Execute These Cyber Intrusions?

The joint advisory, corroborated by the NSA, FBI, and multiple EU counterparts, details an extensive portfolio of tactics, techniques, and procedures (TTPs) employed by Unit 26165. These include brute-force credential guessing, spearphishing with thematically relevant lures, exploitation of Microsoft Exchange mailbox permissions, and abuse of default credentials in internet-connected surveillance systems.

In several documented cases, Russian actors sent Outlook calendar invites crafted to exploit CVE-2023-23397—a vulnerability enabling silent extraction of NTLM hashes. These attacks, coupled with fake webmail logins hosted on free third-party platforms like webhook[.]site and mockbin[.]org, allowed operatives to steal login credentials from logistics firm personnel, shipping agents, and IT administrators responsible for coordinating NATO-linked aid shipments.

Moreover, the campaign featured a systematic compromise of IP surveillance cameras deployed at Ukrainian border crossings, NATO port facilities, and commercial airports in Poland, Slovakia, and Romania. The GRU gained access to these feeds by issuing RTSP requests containing default admin login strings or dictionary-based brute force credentials. Through this access, adversaries could visually track cargo movements, inspect container numbers, and even view time stamps and route data associated with aid convoys.

Which Countries and Companies Were Targeted?

The campaign has spanned at least 14 countries, including the United States, Germany, France, Italy, Greece, Bulgaria, Moldova, Ukraine, the Netherlands, and Poland. Private sector entities affected span commercial logistics firms, railway infrastructure technology companies, maritime freight providers, and cloud-based identity management vendors. While individual company names have not been disclosed publicly, sector analysts suggest that Tier 1 transport and cloud vendors with exposure to government or NATO logistics contracts are the most likely high-value targets.

Analysts believe the campaign’s scale may rival previous GRU-attributed operations such as the 2017 NotPetya attacks, albeit with a quieter, stealth-focused execution layer. In contrast to destructive malware, Unit 26165 appears intent on remaining embedded in corporate networks for months, using malware like HEADLACE and MASEPIE to collect sensitive operational intelligence without triggering standard antivirus or SIEM alerts.

What Are the Business and Market Implications?

Institutional sentiment turned sharply risk-averse following the release of this advisory. Defense-sector ETFs with exposure to logistics tech saw minor rebalancing activity, with sell-offs observed in smaller-cap transportation software stocks. Meanwhile, cybersecurity providers such as Palo Alto Networks, CrowdStrike, and SentinelOne saw modest upticks in premarket trading, reflecting market expectations that spending on surveillance security, endpoint detection and response, and threat intel subscriptions will rise significantly in H2 2025.

Cloud platforms enabling identity federation, like Microsoft Entra and Okta, may also benefit from accelerated adoption as enterprise customers move to eliminate legacy authentication frameworks that are more vulnerable to NTLM credential attacks and mailbox rule abuse. Microsoft in particular is already responding with PowerShell-based detection scripts for CVE-2023-23397 and guidance for mitigating mailbox persistence attacks.

Among logistics firms, the implications are severe. A breach involving even non-sensitive shipment data could result in contract suspension or downgrades in supplier risk ratings. As a result, CISOs across shipping, trucking, and rail operations are now prioritising EDR coverage across on-prem and hybrid cloud assets, particularly those supporting route planning, inventory tracking, and customs brokerage functions.

How Are Governments and Companies Responding?

In the days following the advisory’s release, multiple Western governments have initiated emergency reviews of cybersecurity protocols in their respective logistics chains. The UK’s Ministry of Defence, for instance, has launched a parallel review of civilian-military logistics network interdependencies, especially in contracts involving sea and rail transport of dual-use goods to Ukraine.

Cybersecurity firms are reporting a surge in queries related to RTSP port filtering, secure remote access for IP cameras, and script auditing for PowerShell activity linked to known GRU indicators of compromise. Red teams have also begun simulating HEADLACE and MASEPIE infection chains to evaluate the resilience of endpoint configurations in supply chain environments.

Moreover, security regulators in Germany, Poland, and the Netherlands are considering whether enhanced incident disclosure rules should apply to logistics firms serving military clients, in a move that would mirror existing frameworks in financial services and energy. Such mandates could lead to higher compliance costs but would also reduce dwell time of adversaries inside enterprise networks.

What Is the Forward Outlook for Logistics Cybersecurity?

Looking ahead, security analysts and threat intelligence providers expect that cyber operations from Russian state-sponsored units like APT28 will continue and possibly expand. The goal appears to be not only the interception of logistics data but also the preparation of future disruption campaigns targeting physical movement of aid. As Ukraine’s Western support intensifies, so too will the volume of digital surveillance and cyber sabotage attempts designed to weaken the flow of matériel and humanitarian supplies.

Analysts also note that the GRU’s cyber playbook is likely to expand its targeting to include aviation scheduling systems, fuel logistics platforms, and customs clearance interfaces. Already, there are signs that threat actors are experimenting with malware variants that can access SCADA environments and cloud-native orchestration tools—an ominous signal for companies running modern automated supply chains.

As the global business community internalises the full scope of the Unit 26165 campaign, cybersecurity budgets for 2025–2026 are being re-evaluated in real time. Boardrooms are increasingly recognising that cybersecurity is no longer an IT function—it is a core component of geopolitical risk management.