On May 21, 2025, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), along with multiple partners, released a Cybersecurity Advisory (CSA). The advisory focuses on cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (Unit 26165), who conducted cyber espionage campaigns targeting Western logistics entities and technology companies for over two years.

GRU Unit 26165, also known as APT28 or Fancy Bear, employed techniques such as spearphishing, credential harvesting, and exploitation of known software vulnerabilities to access sensitive information related to transportation and aid delivery, particularly to Ukraine. Their operations extended to compromising email systems, conducting surveillance via IP cameras at Ukrainian border crossings, and exploiting trust relationships to infiltrate connected organizations, highlighting the persistent and adaptive nature of these cyber threats. The campaign affected Ukraine, bordering NATO nations and international organizations primarily related to the transportation and technology industries.

AttackIQ has released a new assessment template that includes the post-compromise Tactics, Techniques and Procedures (TTPs) exhibited by Unit 26165 during its latest activities to help customers validate their security controls and their ability to defend against sophisticated threats.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the behaviors exhibited by a sophisticated threat actor leveraging stealthy and evasive techniques.
• Assess their security posture against targeted espionage campaigns.
• Continuously validate detection and prevention pipelines against a persistent and evolving threat.

[CISA AA25-141A] Russian GRU Targeting Western Logistics Entities and Technology Companies

This assessment template emulates the post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by Unit 26165 during its latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by Unit 26165 at each stage of their activities.

1. Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Hijack Execution Flow: DLL Search Order Hijacking (T1574.001): This scenario takes advantage of Microsoft’s Dynamic-Link Library (DLL) search order to load a rogue DLL into a trusted system binary.

2. Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task for persistence using the schtasks utility.

Boot or Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario creates an entry under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key to be run at system startup and acquire persistence.

Logon Autostart Execution: Startup Folder (T1547.001): This scenario acquires persistence by adding files to the operating system Startup Directory.

Boot or Logon Autostart Execution: Shortcut Modification (T1547.009): This scenario creates a Windows shortcut to emulate the execution of a file. Adversaries may abuse shortcuts in the startup folder to execute their tools and achieve persistence.

3. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Indicator Removal: Clear Windows Event Logs (T1070.001): The scenario will use the wevtutil.exe binary to clear event logs from the system.

4. Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Owner/User Discovery (T1033): This scenario executes the native whoami command to receive details of the running user account.

System Network Configuration Discovery (T1016): This scenario executes the arp -a command to retrieve the system’s Address Resolution Protocol (ARP) information, which can reveal valuable network details.

Process Discovery (T1057): This scenario enumerates processes running on the target asset through the tasklist Windows utility. The results are saved to a file in a temporary location.

System Information Discovery (T1082): This scenario executes the hostname command to retrieve the system’s hostname.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

Account Discovery: Local Account (T1087.001): This scenario executes the native net user Windows command to enumerate available accounts on the system.

5. Collection

Techniques used by adversaries to collect the discovered information regarding the compromised system.

Email Collection (T1114): This scenario executes a script that looks for .pst and .ost files (email files used by Outlook) under the Program Files, Users and UsersProfile directories recursively to collect email information prior to exfiltration.

6. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it.

Application Layer Protocol: Mail Protocols (T1071.003): This scenario attempts to communicate with an external AttackIQ NTM server over common ports used for encrypted email.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.

Lateral Movement Through Impacket’s WMIEXEC Class: This scenario emulates the use of the Impacket utility to execute the WMIEXEC class, facilitating lateral movement to any available asset inside the network via the WMI protocol.

Lateral Movement Through Remote Desktop Protocol: This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

Enumerate ADCS Vulnerabilities: This scenario enumerates vulnerable Active Directory Certificate Services (ADCS) certificate authorities and certificate templates in your Active Directory (AD) environment using the Certipy tool.

Password Brute-Force: This scenario simulates a password brute-force attack on a specified machine to test the effectiveness of security controls against multiple failed login attempts.

Dump Active Directory Database using ntdsutil.exe: This scenario attempts to access or create a copy of the Active Directory domain database using ntdsutil.exe.

Obtain Unsecured Credentials stored in Group Policy Preferences via Get-GPPPassword.ps1 Script: This scenario leverages the Get-GPPPassword.ps1 script to gather and decrypt unsecured passwords from Group Policy Preference XML files.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Scheduled Task/Job: Scheduled Task (T1053.005):

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

3. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1546.001):

Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During these activities, the adversary used registry keys to achieve persistence.

3a. Detection

Using a Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run after startup.

Process Name = reg.exe
Command Line CONTAINS (“ADD” AND “\CurrentVersion\Run”)

3b. Mitigation

MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may attempt to add these keys.

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by Unit 26165. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a widely distributed and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.