This advisory details a Russian GRU unit 26165 cyber espionage campaign targeting Western logistics and technology companies involved in support to Ukraine, employing known tactics such as spearphishing, credential spraying, and exploitation of vulnerabilities. The actors also conducted large-scale surveillance of IP cameras near Ukraine and NATO borders to track aid shipments. #GRUunit26165 #HEADLACE #MASEPIE #CVE-2023-23397
Keypoints
- Russian GRU unit 26165 has targeted Western logistics providers, technology firms, and IP cameras to gain intelligence on foreign aid deliveries to Ukraine since 2022.
- Initial access methods include spearphishing with credential harvesting, abuse of SOHO devices, exploitation of Microsoft Outlook (CVE-2023-23397), Roundcube Webmail, and WinRAR vulnerabilities.
- Post-compromise tactics involve lateral movement via tools like Impacket, PsExec, RDP, and attempts to dump Active Directory data, while maintaining persistence through mailbox permission manipulation and scheduled tasks.
- Malware such as HEADLACE and MASEPIE are used for initial access, persistence, and data exfiltration; DLL search order hijacking facilitates execution.
- The threat actors exfiltrate data using encrypted channels, APIs like Exchange Web Services, and hide activities by targeting locally proximate infrastructure and clearing event logs.
- Large-scale efforts targeted over 10,000 IP cameras in Ukraine and neighboring countries, leveraging RTSP credential brute forcing to monitor shipment routes.
- Mitigations recommended include network segmentation, zero trust architecture, strong MFA, patching vulnerable software, monitoring for anomalous activity, and restricting unnecessary remote access to IP cameras.
MITRE Techniques
- [T1199] Trusted Relationship – Exploited trust by targeting additional transportation entities with business ties to primary targets (“conducted follow-on targeting… exploiting trust relationships”).
- [T1566.002] Spearphishing Link – Sent spearphishing emails with links to fake login pages hosted on free or compromised services (“emails included links leading to fake login pages… often hosted on free third-party services”).
- [T1110.001] Credential Guessing – Employed password spraying and credential guessing with IP rotation via Tor and VPNs (“credential guessing and brute force… frequently rotated IP addresses to hamper detection”).
- [T1187] Forced Authentication – Leveraged Outlook NTLM vulnerability (CVE-2023-23397) to capture NTLM hashes (“weaponized an Outlook NTLM vulnerability… via specially crafted calendar invitations”).
- [T1059] Command and Scripting Interpreter – Delivered and executed shell scripts in multiple languages including BAT, VBScript, and Python (“delivered scripts in spearphishing, including BAT and VBScript”).
- [T1021.001] Remote Desktop Protocol – Used RDP to move laterally within victim networks (“moved laterally using RDP to access additional hosts”).
- [T1547.001] Registry Run Keys/Startup Folder – Established persistence via run keys (“used run keys to establish persistence”).
- [T1090.002] Proxy: External Proxy – Actor-controlled servers sent RTSP requests to IP cameras (“sent RTSP DESCRIBE requests destined for RTSP servers”).
- [T1114.002] Email Collection: Remote Email Collection – Exfiltrated email data using Exchange Web Services and IMAP (“used EWS and IMAP to exfiltrate data from email servers”).
- [T1560.001] Archive Collected Data: Archive via Utility – Archived files in .zip format prior to exfiltration (“accessed files were archived in .zip files prior to exfiltration”).
- [T1070.001] Indicator Removal: Clear Windows Event Logs – Deleted event logs to evade detection (“deleted event logs through the wevtutil utility”).
- [T1053.005] Scheduled Task – Used scheduled tasks to maintain persistence (“used scheduled tasks to establish persistence”).
- [T1665] Hide Infrastructure – Abused SOHO devices as proxies and for anonymization (“abused vulnerabilities associated with SOHO devices to facilitate covert operations”).
Indicators of Compromise
- [IP Addresses] Associated with brute forcing and network activity – Examples include 192.162.174.94, 91.149.253.204, 83.168.78.31, among others from June to August 2024.
- [Email Addresses] Used in Outlook CVE exploitation phishing campaigns – e.g., [email protected], [email protected].
- [File Hashes/Names] Malicious archive filenames exploiting CVE-2023-38831 – examples: calc.war.zip, newsweek6.zip, Roadmap.zip.
- [Domains] Third-party free or compromised hosting services used as redirectors or phishing sites – e.g., webhook.site, frge.io, infinityfreeapp.com, mockbin.io.
- [Malicious Scripts/Utilities] Detection signatures for HEADLACE, MASEPIE malware, Impacket tools, and PowerShell scripts identified by unique strings and behaviors.
Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a