APT28 (Fancy Bear) Targets Western Logistics Supporting Ukraine via Network-Device Exploitation Campaign

APT28, widely known as Fancy Bear, is a Russian GRU-aligned threat actor that conducts cyber espionage and surveillance against defense, logistics, and political targets, often exploiting routers, IP cameras, and other network-edge devices. Recent activity has included monitoring humanitarian and military shipments to Ukraine in real time.

The Russian state-sponsored hacking group APT28 targeted logistics and technology firms supporting the transport of humanitarian and military aid to Ukraine. In a campaign disclosed in May 2025, the group compromised internet-connected cameras and other networked devices at border crossings, ports, and logistics hubs to monitor shipments in real time. They gained access by exploiting known vulnerabilities in small-office/home-office (SOHO) routers and other network-edge appliances, and by abusing weak or reused credentials.

APT28 is known for historically using implants such as X-Agent, Cobalt Strike, and ADVSTORESHELL, but public reporting on this campaign has not confirmed their use. Instead, the intrusion relied heavily on exploiting device flaws, establishing covert infrastructure, and routing activity through multiple proxy layers to evade detection. The hacking group APT28 targeted logistics and technology companies supporting humanitarian and military aid deliveries to Ukraine. Instead of relying on their typical phishing-driven playbook, the group gained access by exploiting known vulnerabilities in small-office/home-office (SOHO) routers and other network-edge appliances, as well as abusing weak or reused credentials. Once inside, they compromised internet-connected IP cameras at ports, border crossings, and rail facilities to conduct real-time surveillance of shipments. APT28 maintained persistent access by routing their operations through multiple proxy layers and dynamically registered domains, allowing them to mask their infrastructure and evade detection.

This breach targeted the operational security of humanitarian and military supply chains during the Russo-Ukrainian war. It demonstrates how state actors increasingly blend cyber intrusion with physical surveillance to achieve geopolitical objectives. Defenders should prioritize patching of network-edge devices, enforcing strong authentication, and monitoring for anomalous access to physical security systems.

APT28 (Fancy Bear)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.