Russian hacking group APT28 (also known as Fancy Bear) has hacked logistics companies and over 10,000 IP cameras in Europe and the US in a cyber espionage campaign to track Western aid delivery routes to Ukraine. The attacks feature sophisticated tools, phishing, Microsoft Outlook, Roundcube and WinRAR exploits, as well as cyber infrastructure near the victims.
APT28, a unit of the Russian GRU (military unit 26165), has been conducting a cyber campaign against companies involved in transporting aid to Ukraine since 2022. In 2025, intelligence agencies from 21 countries confirmed that transport hubs, IT services, air traffic control systems, ports and even manufacturers of industrial control systems were attacked. The hackers used phishing emails with thematic documents, vulnerabilities in Outlook (CVE-2023-23397), Roundcube, archives with WinRAR exploits (CVE-2023-38831), and SOHO routers to hide their tracks. The compromised accounts were connected to mail collection systems (Exchange Web Services, IMAP), which allowed APT28 to continuously receive data on senders, routes, cargo contents, points of arrival, and container numbers. Voice-phishing attempts were also recorded.
APT28 (Fancy Bear), operating since 2004, has been repeatedly associated with anti-NATO campaigns, DNC leaks (2016), attacks on the Olympics, and COVID infrastructure. Since 2022, their actions have intensified in response to international support for Ukraine. They actively use MITRE ATT\&CK techniques: from TA0001 (Initial Access) to TA0010 (Exfiltration).
APT28 continues to threaten the security of aid deliveries to Ukraine through sophisticated cyberattacks. Organizations involved in logistics should implement multi-factor authentication, isolate critical nodes, regularly update software, restrict access to cameras, avoid VPNs with questionable geography, and deploy behavioral monitoring (EDR) systems.
62 
61 
75 