An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | May 21, 2025

NSA and Others Publish Advisory Warning of Russian State-sponsored Cyber Campaign Targeting Western Logistics and Technology Entities

FORT MEADE, Md. - The National Security Agency (NSA) is joining several United States and foreign entities to release the Cybersecurity Advisory (CSA), “Russian GRU Targeting Western Logistics Entities and Technology Companies,” to call attention to a Russia state-sponsored cyber campaign targeting Western government organizations and commercial logistics entities, transportation services, and technology companies, including those involved in providing assistance to Ukraine.
 
The Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (Unit 26165) has been conducting this cyber-espionage campaign—using both previously disclosed and novel tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—since at least February 2022. This cyber actor is commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, or BlueDelta.
 
In addition to targeting entities involved in supplying aid to Ukraine, Unit 26165 actors can be linked to the targeting of Internet-connected cameras in Ukraine and bordering countries, likely to monitor the movement of shipments into Ukraine.
 
The CSA provides guidance for at-risk organizations to posture their defenses against potential targeting by Unit 26165 through recommendations for increased monitoring and threat hunting for known TTPs and IOCs.  
 
The report outlines several of the TTPs Unit 26165 actors use to gain access to targeted entities, including password spraying, spearphishing, and modification of Microsoft Exchange mailbox permissions. Additionally, the advisory highlights the specific risk to a range of small office/home office (SOHO) devices, as Unit 26165 actors abuse vulnerabilities associated with a range of brands and models to conduct covert cyber operations and proxy malicious activity.
 
The authoring agencies expect this cyber-espionage campaign to continue. To defend against and mitigate these threats, at-risk entities should anticipate targeting by Unit 26165 actors, become familiar with the known TTPs and IOCs associated with Unit 26165, and implement the mitigations listed in the CSA.

Read the full report here. 

Visit our full library for more cybersecurity information and technical guidance.
 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

cybersecurity csa GRU Ukraine russia GRU Unit 26165
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line number. Dial 988 then Press 1