This post is also available in:
עברית (Hebrew)
In a covert effort to interfere with military support flowing to Ukraine, Russian state-sponsored hackers have been systematically targeting critical defense and transport infrastructure across NATO and allied countries since 2022, according to a new report by the NSA, FBI, CISA, and international partners.
The cyber activity has been attributed to APT28, a threat group linked to Russia’s GRU military intelligence agency. Known under various names in cybersecurity circles—such as Fancy Bear and Forest Blizzard—APT28 has shifted its focus in recent years to disrupting operations tied to Western aid deliveries.
Targets have included transport networks, air traffic systems, maritime services, logistics providers, and aerospace sectors. Intelligence agencies have also confirmed the compromise of surveillance cameras at military facilities, border crossings, and rail hubs, giving attackers a window into the movement of supplies bound for Ukraine.
Technical analysis of the group’s operations reveals a wide-ranging toolkit. Initial access has often been achieved through brute-force login attempts, phishing campaigns, and exploiting unpatched software vulnerabilities. Once inside a network, attackers used tools such as PsExec and Impacket to navigate systems, extract data from Active Directory, and collect email addresses by scanning Office 365 environments.
To mask the origin of their operations, attackers routed activity through hijacked routers in homes and small offices—devices often located close to their actual targets. This tactic complicates detection and slows down incident response efforts.
Security agencies in the United States and Europe—including the NSA, FBI, and others—have issued public advisories detailing APT28’s methods in an attempt to disrupt the group’s effectiveness. The campaign has reportedly affected organizations in countries central to the military aid corridor, including Germany, the Netherlands, Poland, the U.S., and others across Eastern and Central Europe.
While the cyberattacks vary in scope and impact, the intent is consistent: gather intelligence on Western support mechanisms for Ukraine and create uncertainty or friction in the supply process. As hybrid warfare intensifies, the digital front lines are proving just as active—and strategically important—as those on the ground.
