The FBI, CISA, and NSA released a joint advisory detailing cyber espionage activities by Russian GRU Unit 26165 (APT28/Fancy Bear) targeting Western logistics and technology sectors, particularly involving Ukraine. AttackIQ published an assessment template simulating the unit’s post-compromise tactics and techniques to help organizations evaluate and enhance their defensive measures. #GRUUnit26165 #APT28 #AttackIQ
Keypoints
- Russian GRU Unit 26165 (APT28/Fancy Bear) conducted multi-year espionage campaigns against Western logistics and technology entities primarily related to Ukraine and neighboring NATO countries.
- The threat actor employed spearphishing, credential harvesting, exploitation of software vulnerabilities, and surveillance via compromised IP cameras.
- AttackIQ released a detailed assessment template emulating Unit 26165’s post-compromise Tactics, Techniques, and Procedures (TTPs) to test security controls.
- The assessment covers multiple MITRE ATT&CK tactics, including execution, persistence, defense evasion, discovery, collection, and exfiltration.
- The template supports organizations in continuously validating detection and prevention systems against this persistent and evolving threat actor.
- AttackIQ recommends prioritizing detection and mitigation of scheduled tasks and registry run key abuse to counter adversary persistence.
- Additionally, the advisory suggests using lateral movement and credential dumping scenarios to extend emulation capabilities for a more comprehensive security evaluation.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – Used to load a rogue DLL into a trusted system binary exploiting Microsoft’s DLL search order.
- [T1053.005] Scheduled Task – Created scheduled tasks with schtasks utility to maintain persistence.
- [T1547.001] Boot or Logon Autostart Execution (Registry Run Keys) – Added registry entries under HKLMSoftwareMicrosoftWindowsCurrentVersionRun to run malware on startup.
- [T1547.001] Logon Autostart Execution (Startup Folder) – Achieved persistence by adding files to the system Startup Directory.
- [T1547.009] Boot or Logon Autostart Execution (Shortcut Modification) – Created Windows shortcuts in the startup folder to execute tools and ensure persistence.
- [T1070.001] Indicator Removal on Host (Clear Windows Event Logs) – Used wevtutil.exe to clear event logs and evade detection.
- [T1033] System Owner/User Discovery – Executed ‘whoami’ to identify the running user account.
- [T1016] System Network Configuration Discovery – Executed ‘arp -a’ to gather network details.
- [T1057] Process Discovery – Used the ‘tasklist’ utility to enumerate running processes.
- [T1082] System Information Discovery – Executed ‘hostname’ and ‘systeminfo’ to collect system details.
- [T1087.001] Account Discovery (Local Account) – Used ‘net user’ command to list local accounts.
- [T1114] Email Collection – Script searched for Outlook .pst and .ost files to collect email data.
- [T1071.003] Exfiltration Over Application Layer Protocol (Mail Protocols) – Communicated with an external server over encrypted email ports for data exfiltration.
Indicators of Compromise
- [File Hashes] Examples include identified malicious DLL files used in hijacking and scripts deployed for email collection and credential harvesting (details not expanded in article).
- [File Names] Schtasks utility usage traced back for scheduled task creation; registry run keys and startup folder shortcuts noted for persistence mechanisms.
- [Commands] Command line indicators monitoring schtasks creation commands (e.g., “schtasks /CREATE”) and registry modification commands (“reg.exe ADD CurrentVersionRun”).
Read more: https://www.attackiq.com/2025/05/21/response-to-cisa-advisory-aa25-141a/