Russia's APT28 accused of infiltrating Western logistics, technology firms

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

In a joint cybersecurity advisory co-signed by what appears to be a record number of allied countries (11) and intelligence agencies (21), the hacking group widely known as Fancy Bear, BlueDelta, and APT28 was accused of being behind attempted digital break-ins at multiple Western logistics providers and technology firms.

The advisory states that “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign within NATO member states, within Ukraine, and at international organisations.

Alongside the “espionage-oriented campaign,” the hackers are also believed to have accessed legitimate municipal traffic cams and “private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine.”

The hackers also “conducted reconnaissance on at least one entity involved in the production of industrial control system components for railway management, though a successful compromise was not confirmed,” warned the advisory.

The intelligence agencies formally attributed the attacks to the “85th Main Special Service Center (85th GTsSS), military unit 26165” of Russia’s military intelligence agency, the GRU. They acknowledged that the hacking unit’s campaigns were tracked under several names, including Fancy Bear and APT 28.

The CSA guides at-risk organizations to posture their defenses against potential targeting by Unit 26165 through recommendations for increased monitoring and threat hunting for known TTPs and IOCs.

The report outlines several of the TTPs Unit 26165 actors use to gain access to targeted entities, including password spraying, spearphishing, and modification of Microsoft Exchange mailbox permissions. Additionally, the advisory highlights the specific risk to a range of small office/home office (SOHO) devices, as Unit 26165 actors abuse vulnerabilities associated with a range of brands and models to conduct covert cyber operations and proxy malicious activity.
 
The authoring agencies expect this cyber-espionage campaign to continue. (Alexander Martin / The Record and NSA)

Related: Joint Cyber Advisory, CISA, NCSC, Politico, SC Media, Security Week, The Register, Infosecurity Magazine, Cyberscoop, Bleeping Computer, Regtech Times, Ukrainska Pravda, SC Media

With the help of Microsoft’s Digital Crimes Unit (DCU) and a crew of international partners, including several leading cybersecurity companies, a coordinated global operation seized the core infrastructure of Lumma Stealer, a widely used infostealer malware linked to cybercrime sprees and multiple high-profile attacks.

Acting on a court order granted in the US District Court of the Northern District of Georgia, Microsoft seized and blocked about 2,300 malicious domains that served as the backbone of Lumma Stealer’s infrastructure, Masada said. 

According to Microsoft, the Justice Department was responsible for seizing Lumma Stealer’s central command infrastructure and disrupting marketplaces where it was sold, while Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center worked to suspend locally based infrastructure.

Since it first appeared in 2022, Lumma Stealer has established a widespread presence across global networks. The infostealer, which developers continually improved, was used to siphon credentials and other sensitive information via phishing and other means.

Cybersecurity and tech companies ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry assisted with the takedown effort. (Matt Kapko / CyberScoop)

Related: Microsoft, CISA, Justice Department, Bloomberg, Cloudflare, Europol, Wired, NextGov, Bleeping Computer, We Live Security, Cyber Daily, Metro, Computer Weekly, Industrial Cyber, Decrypt, The Record, Cybernews, The Cyber Express, HackRead, Dark Reading, Connect, Help Net Security, GeekWire, Cointelegraph, Cyber Security News, The Indian Express, Bitsight, Reuters, UPI, Hackread, Digital Trends, SiliconANGLE, KDFX-TV, Solomon on Cybersecurity, DataBreachToday.com

Marks & Spencer said hackers broke into its systems by tricking employees at a third-party IT contractor, Tata Consulting Services, skirting its digital defenses to launch a cyberattack that will disrupt the British retailer for months.

Giving the first details since disclosing the breach on April 22, Chief Executive Stuart Machin said all companies were vulnerable, and M&S had boosted its defences by trebling tech spending in the last three years.

"Unable to get into our systems by breaking through our digital defences, the attackers did try another route, resorting to social engineering and entering through a third party rather than a system weakness," he told reporters.
"Once access was gained, they used highly sophisticated techniques as part of the attack."

Separately, the Marks & Spencer website came back online after leaving users unable to browse for several hours.

Customers have been unable to make online orders for weeks as the retailer deals with the aftermath of a cyber-attack, but on Wednesday evening, the website went down completely. (Paul Sandle and James Davey / Reuters and Hafsa Khalil & Annabelle Liang / BBC News)

Related: Cybernews, BankInfoSecurity, Sky News, Metro, Financial Times, Tech Monitor, New York Times

Cyber criminals identified as the Interlock ransomware gang stole "personal or sensitive" data during a ransomware attack on West Lothian Council's education network.

The local council is contacting parents or carers at every school and the education staff to inform them of the theft and provide advice.

It said most of the stolen data related to operational issues, such as lesson planning, but officials have now established that some personal information was also taken.

Confidential pupil records, financial data, and social work records are stored on different systems, but officials said they could not rule out the possibility that criminals have stolen medical or social work information.

The council told the BBC there is no evidence that social work reports have been stolen. (BBC News)

Related: Edinburgh Live, DigWatch, Digit, Infosecurity Magazine

In a filing with the Maine Attorney General's office, Coinbase revealed a recent data breach in which cybercriminals stole customer and corporate data, affecting 69,461 individuals.

Coinbase said, "A small number of individuals, performing services for Coinbase at our overseas retail support locations, improperly accessed customer information."

While the exposed data did not include the impacted people's passwords, seed phrases, private keys, or other information that could be used to access their funds or accounts, it did include a combination of personal identifiers such as name, date of birth, last four digits of social security numbers, masked bank account numbers and some bank account identifiers, addresses, phone number, and email address.

Depending on the affected customer, the stolen information can also contain images of government identification information (e.g., driver's license number, passport number, national identity card number) and account information (including transaction history, balance, transfers, account opening date). (Sergiu Gatlan / Bleeping Computer)

Related: Office of the Maine Attorney General, Crypto News, TechCrunch, Security Week, Decrypt, Mashable, CryptoSlate, The Street, Citation Needed, The Register, Security Affairs, Cryptopolitan, Protos, PCMag, The Record, Cryptoforensic Investigators

The European Union unveiled a new sanctions package targeting individuals and entities linked to Russia's hybrid warfare efforts, including its disinformation, sabotage, and espionage campaigns across Europe and Africa.

Among those sanctioned are members of the Russian military intelligence unit GRU and individuals involved in promoting Kremlin narratives through social media campaigns. The EU also targeted companies providing critical support to these activities, including web hosting services and GPS jamming equipment.

The round of sanctions is part of a broader European strategy to counter Russia’s ongoing hybrid warfare activities, which have escalated since the start of the war in Ukraine. It also marks the second time the EU has targeted Russian disinformation networks. (Daryna Antoniuk / The Record)

Related: European Council, EU Today

Google said it is beefing up its “sovereign cloud” options in the EU, as US tech companies move to reassure the continent’s users that their access to crucial technology will be safeguarded at a time of escalating trade tensions with Donald Trump.

The tech titan offers cloud computing services in Europe that ensure sensitive information remains on local servers and adhere to EU data privacy laws.

Google said it was broadening these so-called sovereign cloud options, including a new “data shield” that provides additional cybersecurity protections to European clients.

The US tech company also said it would work with local partners in sensitive industries, such as the French defence electronics group Thales, to better ensure it complies with stricter data protection requirements for those sectors. Google said it would also launch a similar arrangement in Germany soon.

The move comes as European groups raise concerns that the Trump administration could use the continent’s reliance on digital infrastructure from US Big Tech groups as leverage in trade talks. (Barbara Moens / Financial Times)

Related: Google Cloud, s3ns, The Register, Computing, Data Center Dynamics

Opexus, a software company that handles sensitive data for nearly every US federal agency, was the victim of a cyber breach earlier this year by twin brother employees Muneeb and Suhaib Akhter due to a "major lapse" in security measures, which resulted in the disappearance of hundreds of FOIA requests.

Opexus, owned by the private equity firm Thoma Bravo and providing software services for processing US government records, was compromised in February by two employees who had previously been convicted of hacking into the US State Department.

The findings were detailed in separate reports by Opexus and cybersecurity firm Mandiant, which characterized the incident as an “insider threat attack.”

The brothers, who have since been fired, improperly accessed sensitive documents and compromised or deleted dozens of databases, including those that contained data from the Internal Revenue Service and the General Services Administration.

Five people familiar with the matter who requested anonymity because they were not authorized to discuss the case said the incident, which hasn’t been reported previously, is now being probed by the Federal Bureau of Investigation and other federal law enforcement agencies.

According to the Mandiant report, the brothers' damage includes the destruction of more than 30 databases and the removal of more than 1,800 files related to one government project.

Opexus’ own investigation found that the brothers’ conduct led to an outage of two key software systems used by government agencies to process and manage their records, and in some cases, a permanent loss of data. (Jason Leopold / Bloomberg)

Related: Bloomberg

A team of 15 researchers at the Federal University of Minas Gerais in Brazil published a massive database of over 2 billion Discord messages that they scraped using Discord’s public API.

The data was pulled from 3,167 servers and covers posts made between 2015 and 2024, the entire time Discord has been active. 

Though the researchers claim they’ve anonymized the data, it’s hard to imagine anyone is comfortable with almost a decade of their Discord messages sitting in a public JSON file online.

Separately, a different programmer released a Discord tool called "Searchcord" based on a different data set that shows non-anonymized chat histories. (Matthew Gault / 404 Media)

Related: Gizmodo

The Russian government has introduced a new law requiring all foreign nationals in the Moscow region to install a tracking app.

The new proposal was announced by the chairman of the State Duma, Vyacheslav Volodin, who presented it as a measure to tackle migrant crimes.

"The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," stated Volodin.

The measures will not apply to diplomats of foreign countries or citizens of Belarus.

Foreigners attempting to avoid their obligation in relation to the new law will be added to a registry of monitored individuals and deported from Russia. (Bill Toulas / Bleeping Computer)

Related: Duma.gov.ru, r/worldnews, Asia Plus

The Dutch government has approved a law criminalizing a broader range of espionage activities, including digital espionage, to protect national security, critical infrastructure, and sensitive technologies.

The new legislation, passed over the weekend, extends existing espionage laws that make it a criminal offense to share state secrets. Under the updated law, leaking sensitive information not classified as a state secret or engaging in activities on behalf of a foreign government that harm Dutch interests can also result in criminal charges.

The rise of cyber-espionage has also prompted the government to introduce harsher penalties for computer-related offenses. Offenders could face up to eight years in prison, possibly a 12-year sentence in extreme cases. (Daryna Antoniuk / The Record)

Related: NCTV.nl, The Cyber Express, SC Magazine UK, DigWatch

Authorities in Tanzania blocked access to the social platform X after cyberattacks on some accounts of government institutions resulted in fake or pornographic posts.

After authorities said hackers took it over, the police account posted pornographic images that were later deleted. The account also falsely announced the death of President Samia Suluhu Hassan.

“We are searching for those spreading false information,” police said. The account of telecommunications company Airtel Tanzania was also hacked.

Government spokesman Gerson Msigwa said Tanzania’s cyberspace is secure and called the attacks minor. He urged citizens to remain calm.

“I assure you Tanzania is safe, and we will find those responsible,” he said. (Associated Press)

Related: BBC News, Techpoint Africa, GhanaWeb, NewsCentral TV, tv47 Digital, The Eastleigh Voice, Peoples Gazette, Sahara Reporters, Daily Post, mbu, AFP, CNBCTV18, Business Insider Africa

Sen. Ron Wyden (D-OR) revealed in a new letter to Senate colleagues that AT&T, Verizon, and T-Mobile failed to create systems for notifying senators about government surveillance on Senate-issued devices, despite a requirement to do so.

Thanks to protections enacted in 2020, phone service providers are contractually obligated to inform senators when a law enforcement agency requests their records. However, in an investigation, Wyden’s staff found that none of the three major carriers had created a system to send those notifications.

Wyden said the companies all started providing notifications after his office’s investigation. However, according to the letter, one carrier told Wyden’s office it had previously turned over Senate data to law enforcement without notifying lawmakers. (Alfred Ng / Politico)

Related: Senator Ron Wyden, TechCrunch, The Register, r/technology, Slashdot, Common Dreams

The hacker behind the data breach targeting Coinbase users mocked blockchain investigator ZachXBT with an onchain message following a major crypto swap.

On May 21, the hacker used Ethereum transaction input data to write “L bozo,” followed by a meme video of NBA player James Worthy smoking a cigar.

The message came after the attacker swapped about $42.5 million from Bitcoin via THORChain.

ZachXBT flagged the message on his Telegram channel, linking it to the same entity responsible for the Coinbase data breach affecting at least 69,400 users. (Amin Haqshanas / Cointelegraph)

Related: Decrypt, Crypto.news

In Memoriam

Democratic representative Gerald E. Connolly of Virginia, who was the top Dem on the House Oversight panel’s cyber subcommittee, died of cancer at age 75.

On the Move

Kate Diemidio, the head of public policy and government affairs for industrial cybersecurity firm Dragos, is joining the Cybersecurity and Infrastructure Security Agency to serve as legislative affairs chief.

Best Thing of the Day: Be Like Signal

Signal Desktop now includes support for a new “Screen security” to protect users from Microsoft's odious Recall feature.

Worst Thing of the Day: Exposing the Most Vulnerable Among Us

Sensitive information about women and girls who have survived domestic abuse is now expected to be exposed through a data extortion incident impacting the British government’s Legal Aid Agency.

Closing Thought