UK exposes Russian cyber campaign targeting support for Ukraine

The UK has exposed what it says is a "malicious cyber campaign" targeting multiple organisations, including those involved in delivering foreign assistance to Ukraine

After a joint investigation with allies including the US, Germany and France, the UK's National Cyber Security Centre (NCSC) said a Russian military unit had been targeting both public and private organisations since 2022.

These include organisations involved in supplying defence, IT services and logistics support.

The security bodies of 10 Nato countries and Australia said Russian spies had used a combination of hacking techniques to gain access to networks.

Some of the targets were internet-connected cameras at Ukrainian borders which monitored aid shipments going into the country.

The report also says a rough estimate of 10,000 cameras were accessed near "military installations, and rail stations, to track the movement of materials into Ukraine.

It adds the "actors also used legitimate municipal services, such as traffic cams."

The Russian military unit blamed for the espionage is called GRU Unit 26165 but goes by a number of informal names, including Fancy Bear.

The notorious hacking team is known to have previously leaked World Anti-Doping Agency data, and played a key role in the 2016 cyber-attack on the US's Democratic National Committee, according to security experts.

"This malicious campaign by Russia's military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine," Paul Chichester, NCSC Director of Operations, said in a statement.

"We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks," he added.

The joint cyber-security advisory said Fancy Bear had targeted organisations linked to critical infrastructure including ports, airports, air traffic management and the defence industry.

These were in 12 mainland European countries and the US.

The hackers used a combination of techniques to gain access, the report said, including guessing passwords.

Another method used is called spearphishing, where fake emails are targeted at specific people who have access to systems.

They are presented with a fake page where they enter their login details, or encouraged to click a link which then installs malicious software.

"The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes," the report said.

A vulnerability in Microsoft Outlook was also exploited to collect credentials "via specially crafted Outlook calendar appointment invitations".