ASSESSMENT: Russian cyber intelligence campaign targets logistics and tech companies supporting Ukraine
KEY POINTS:
Western technology and logistic companies involved in the provision of support to Ukraine are being actively targeted by Russian military intelligence.
This activity is being conducted by a high-end threat actor deploying sophisticated applications of fundamental attack vectors – it is highly likely to continue despite public exposure by Western intelligence services.
It is likely that Russia will use both cyber operations and physical sabotage to further disrupt delivery of materiel and other supplies to Ukraine, underlining the blurring of cyber-physical threats.
SUMMARY:
Cyber security agencies in 11 Western countries released an advisory on 21-May-25 identifying a cyber campaign conducted by a threat actor attributed to Russian military intelligence.
The advisory draws public attention to the significant expansion of the breadth of companies at risk – attacks were directed not only at direct suppliers to Ukraine but also at indirect suppliers and organisations in the geographical vicinity of targets.
The tactics deployed by Russian military intelligence span multiple known attack vectors with sophisticated deployment, ranging from spearphishing and credential guessing to the exploitation of application vulnerabilities.
Russian military intelligence has targeted internet-connected cameras in key locations near Ukraine to gather intelligence, likely to enable physical action on targets, without infiltrating direct supplier networks.
The advisories recommend that companies in these sectors act on the presumption that they are actively being targeted by Russian military intelligence.
Given the widespread use of supply chain attacks, companies that act as suppliers or are otherwise engaged with tech and logistics companies are also at elevated risk.
OUTLOOK:
We assess with high confidence that the exposure of this threat actors’ activities is unlikely to deter it from further operations or degrade its operational capabilities.
Access developed for intelligence collection can be repurposed to conduct disruptive activity.
A deterioration in Russia’s battlefield position or a setback for Moscow in negotiations would increase the risk of disruptive activity against tech and logistics orgs.
TYBURN RECOMMENDATIONS:
Ensure the board, senior executives, and leadership teams are briefed on elevated state-linked threat levels by experts.
Critical decision makers should be updated on heightened state-level threats which can impact strategic campaigning and decision making. Expert advice can provide tailored insight to maximise impact.
Ensure organisational risk management processes account for active targeting by state threat actors
Companies at risk should update their risk countermeasures to keep abreast with the evolving threat landscape. High-risk organisations should work on the assumption that breaches will occur. Specialist support from external providers can deliver tailored insights for an organisation’s unique environment.
Use governance pressure to drive urgent reviews of privileged access and monitoring coverage across high-value business units
Executives should demand clear visibility into who has elevated access and whether activity in critical areas is being continuously and effectively monitored.
Stress-test cyber assumptions in due diligence across portfolios and ensure due diligence includes understanding state-aligned threat exposure
Investment organisations should evaluate risk assumptions and assess how state cyber threats could impact asset performance or valuation.
Evaluate litigation and disclosure risks tied to known state-aligned threat exposure
Legal and compliance teams should assess regulatory and reputational consequences stemming from sensitive information exposure by state actors.
Reassess whether any ongoing business transactions may be disrupted by hostile cyber activity
M&A, divestment, or restructuring events should include contingency planning for cyber incidents, particularly where geopolitical interests heighten targeted disruption.
Engage external expertise to independently assess cyber resilience
Entities should work with experts to conduct attack modeling to gain actionable insight into how their specific digital estate could be compromised and how to remediate these threats.
ABOUT US:
Tyburn St Raphael Ltd is a specialist security consultancy focusing on hybrid threats to risk-sensitive professional services.
Contact us at: info@tyburn-str.com or hello@secured-research.com
Under the Secured brand, we provide threat-led simulation, board briefings, and intelligence modelling to help clients preempt description and secure their most valuable assets.
Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture.
We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability. Recent examples include:
Seizure of Russian-linked vessel - An assessment of the impact and outlook of threats to subsea internet cables as an example of an evolving hybrid threat environment.
Beyond Baselines - A short article that highlights the necessity of security certifications that go beyond baseline measures for organisations at higher risk.
The strategic threat landscape - A strategic brief about the challenges of security in a changing threat environment for research and innovation entities.
Taiwan investigating Chinese-linked vessel - An assessment of the impact and outlook of threats to subsea internet cables, highlighting the importance of communication resilience in specific threat landscapes.
US designation of major Chinese companies as military-linked - An strategic assessment on the impact and outlook of the US’s designation of major Chinese companies as affiliated with the Chinese People’s Liberation Army.
US Treasury hack highlights threat of Chinese supply chain espionage - An assessment on the threats posed by and challenges countering non-state actors in cyberspace.
North Korean malware assessment - A strategic assessment about the endurance and evolution of the North Korean Ferret malware family.
North Korean IT workers scam assessment - A brief assessing the threat and impact of the use of deepfake technology to the prevalent North Korean IT workers scam.
RUSI: Securing Innovation in an epoch of geopolitical competition - A research article assessing the threats facing organisations involved in research and innovation into cutting-edge technologies of strategic importance.
APPENDIX
MILITARY UNIT 26165:
The 21-May-25 advisory attributes the activity to Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.
Industry reporting on activity attributed to this group has been identified by multiple reporting names, including APT 28 / FOREST BLIZZARD / STRONTIUM / FANCY BEAR.
This unit has been the subject of multiple joint advisories over the last decade, and is credibly assessed to have been active since at least 2024.
USEFUL LINKS:
Original advisory – Russian GRU Targeting Western Logistics Entities and Technology Companies
UK statement on advisory – UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
Technology reporting on advisories – Russian hackers breach orgs to track aid routes to Ukraine
