Response to CISA Advisory (AA25-141A): Russian GRU Targeting Western Logistics Entities and Technology Companies

Response to CISA Advisory (AA25-141A): Russian GRU Targeting Western Logistics Entities and Technology Companies

The FBI, CISA, and NSA released a joint advisory detailing cyber espionage activities by Russian GRU Unit 26165 (APT28/Fancy Bear) targeting Western logistics and technology sectors, particularly involving Ukraine. AttackIQ published an assessment template simulating the unit’s post-compromise tactics and techniques to help organizations evaluate and enhance their defensive measures. #GRUUnit26165 #APT28 #AttackIQ

Keypoints

  • Russian GRU Unit 26165 (APT28/Fancy Bear) conducted multi-year espionage campaigns against Western logistics and technology entities primarily related to Ukraine and neighboring NATO countries.
  • The threat actor employed spearphishing, credential harvesting, exploitation of software vulnerabilities, and surveillance via compromised IP cameras.
  • AttackIQ released a detailed assessment template emulating Unit 26165’s post-compromise Tactics, Techniques, and Procedures (TTPs) to test security controls.
  • The assessment covers multiple MITRE ATT&CK tactics, including execution, persistence, defense evasion, discovery, collection, and exfiltration.
  • The template supports organizations in continuously validating detection and prevention systems against this persistent and evolving threat actor.
  • AttackIQ recommends prioritizing detection and mitigation of scheduled tasks and registry run key abuse to counter adversary persistence.
  • Additionally, the advisory suggests using lateral movement and credential dumping scenarios to extend emulation capabilities for a more comprehensive security evaluation.

MITRE Techniques

  • [T1574.001] DLL Search Order Hijacking – Used to load a rogue DLL into a trusted system binary exploiting Microsoft’s DLL search order.
  • [T1053.005] Scheduled Task – Created scheduled tasks with schtasks utility to maintain persistence.
  • [T1547.001] Boot or Logon Autostart Execution (Registry Run Keys) – Added registry entries under HKLMSoftwareMicrosoftWindowsCurrentVersionRun to run malware on startup.
  • [T1547.001] Logon Autostart Execution (Startup Folder) – Achieved persistence by adding files to the system Startup Directory.
  • [T1547.009] Boot or Logon Autostart Execution (Shortcut Modification) – Created Windows shortcuts in the startup folder to execute tools and ensure persistence.
  • [T1070.001] Indicator Removal on Host (Clear Windows Event Logs) – Used wevtutil.exe to clear event logs and evade detection.
  • [T1033] System Owner/User Discovery – Executed ‘whoami’ to identify the running user account.
  • [T1016] System Network Configuration Discovery – Executed ‘arp -a’ to gather network details.
  • [T1057] Process Discovery – Used the ‘tasklist’ utility to enumerate running processes.
  • [T1082] System Information Discovery – Executed ‘hostname’ and ‘systeminfo’ to collect system details.
  • [T1087.001] Account Discovery (Local Account) – Used ‘net user’ command to list local accounts.
  • [T1114] Email Collection – Script searched for Outlook .pst and .ost files to collect email data.
  • [T1071.003] Exfiltration Over Application Layer Protocol (Mail Protocols) – Communicated with an external server over encrypted email ports for data exfiltration.

Indicators of Compromise

  • [File Hashes] Examples include identified malicious DLL files used in hijacking and scripts deployed for email collection and credential harvesting (details not expanded in article).
  • [File Names] Schtasks utility usage traced back for scheduled task creation; registry run keys and startup folder shortcuts noted for persistence mechanisms.
  • [Commands] Command line indicators monitoring schtasks creation commands (e.g., “schtasks /CREATE”) and registry modification commands (“reg.exe ADD CurrentVersionRun”).


Read more: https://www.attackiq.com/2025/05/21/response-to-cisa-advisory-aa25-141a/