3 May 2026 Threat Intelligence

Russian GRU (APT28) Is Targeting Logistics Firms — What Australian Businesses Must Know

Security agencies from 15 nations, including Australia's own ACSC, have jointly confirmed that Russia's GRU military intelligence unit — the same group known as APT28, Fancy Bear, and Forest Blizzard — has been running an aggressive cyber espionage campaign targeting Western logistics companies and technology firms for over two years. The campaign is still active, the advisory was updated in April 2026 on cyber.gov.au, and Australian organisations in freight, transport, and supply chain technology are explicitly named as potential targets.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

The Joint ACSC Advisory: 15 Nations Name Russia's GRU

In May 2025, the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) joined 14 other allied intelligence agencies — including the United States Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC), and counterparts from Germany, France, Canada, the Netherlands, Poland, and others — to release a joint cybersecurity advisory naming Russia's GRU Unit 26165 as the group behind an ongoing, multi-year cyber espionage campaign. The advisory was updated on cyber.gov.au in April 2026 with revised indicators of compromise.

The group has several names in the research community. You may know it as APT28, Fancy Bear, Forest Blizzard, Sofacy, or BlueDelta. Inside Russia's military intelligence apparatus (the GRU), it is formally designated the 85th Main Special Service Centre, military unit 26165. The advisory's attribution is unambiguous: this is a state-sponsored operation with strategic intelligence objectives, not an opportunistic criminal gang after quick money.

The campaign has been running for at least two years, targeting "dozens of entities, including government organisations and private/commercial entities across virtually all transportation modes: air, sea, and rail." The primary focus has been on logistics companies and technology firms involved in the coordination, transport, and delivery of foreign assistance to Ukraine. However, the advisory makes clear that the targeting is not limited to Ukraine-adjacent actors — any organisation that handles international freight, manages supply chain software, or provides technology services to logistics networks is within scope.

The ACSC advisory is publicly available on cyber.gov.au and the full joint advisory is published by CISA as advisory aa25-141a. Both are primary sources worth bookmarking if your organisation has any involvement in international trade, freight, or transport technology.

Why Australian Businesses Are in Scope

The ACSC does not issue joint advisories for every foreign threat. When Australia co-signs a document alongside CISA, the NCSC, and a dozen European intelligence agencies, it is a deliberate signal to Australian industry: this threat is real, it is active, and it is coming for you.

The reasons Australian logistics and tech companies are at risk are not hard to trace. Australia is a member of NATO's partner network, a Five Eyes intelligence partner, and has provided material support to Ukraine. From GRU Unit 26165's perspective, any firm in the supply chain that supports Western foreign policy objectives is a legitimate intelligence target. That extends well beyond defence contractors. A freight-forwarding firm that ships aid to Eastern Europe, a software company that manages inventory for international shippers, a port logistics operator that coordinates cargo — all of these sit within the advisory's threat model.

There is also a secondary concern for Australian SMBs that have no direct Ukraine connection. The advisory notes that GRU Unit 26165 exploits surveillance cameras — specifically "private cameras at key locations, such as near border crossings, military installations, and rail stations" — to physically track cargo movements. This indicates an adversary that is operating at strategic scale, correlating cyber intelligence with physical intelligence. Organisations that provide camera systems, access management, or remote monitoring software to transport hubs may find themselves compromised not as the primary target but as a pivot point into larger infrastructure.

The Essential Eight, Australia's baseline cybersecurity framework from the ACSC, was designed with exactly this category of threat in mind. The campaign's reliance on credential theft, phishing, and unpatched vulnerabilities maps directly to the first three mitigation strategies: application control, patch applications, and patch operating systems. Many Australian SMBs have not yet reached Maturity Level One on these controls — which means they remain trivially accessible to an adversary operating at GRU scale.

How APT28 Gets In: The Technical Attack Chain

Understanding how GRU Unit 26165 operates is not an academic exercise — it directly informs which defensive controls are worth prioritising. The advisory describes a layered attack chain that combines phishing, vulnerability exploitation, and long-term persistence. Several specific CVEs are named as exploitation tools.

Spearphishing with logistics-themed lures

Initial access is most commonly achieved through spearphishing emails. These are not generic spam — they are "highly targeted emails in the recipient's local language, often themed around business or logistics, including malicious links or attachments designed to steal credentials or deliver malware." An Australian freight manager receiving a professional-looking email in English about a customs declaration or shipment delay is exactly the profile of a target. The advisory confirms that GRU operators invest time in understanding the business context of their targets before crafting lures.

CVE-2023-23397: The Outlook NTLM hash theft

CVE-2023-23397 is a critical vulnerability in Microsoft Outlook that allows an attacker to capture a victim's NTLM authentication hash without any user interaction. The attack works by sending a malicious calendar invite that contains a UNC path to an attacker-controlled server. When Outlook processes the invite — which can happen before the user even opens it — Windows automatically attempts to authenticate to that server, sending the user's NTLM hash. The attacker captures the hash and can use it for credential relay attacks or offline cracking. This technique is specifically called out in the advisory as a primary initial access vector for Unit 26165.

CVE-2023-38831: WinRAR code execution

CVE-2023-38831 is a code execution vulnerability in the WinRAR archiving tool, patched in August 2023 but still widely unpatched in enterprise environments that have not enforced application updates. The flaw allows a malicious archive file to execute arbitrary code when the victim browses its contents in WinRAR. APT28 has used this technique to deliver malware via phishing attachments, with the archive file disguised as a business document.

Persistence, lateral movement, and data exfiltration

Once inside a network, GRU operators use a combination of legitimate administration tools and custom malware to establish persistence and move laterally. The advisory names Impacket, PsExec, and Remote Desktop Protocol (RDP) as key lateral movement tools — all of which are standard Windows administration utilities that generate minimal alerts in environments without robust monitoring. Certipy, an Active Directory certificate abuse tool, is used to exfiltrate credentials from domain certificate authorities, enabling long-term persistence even after password resets. Separately, the group has modified Microsoft Exchange mailbox permissions to achieve covert, persistent access to email — a technique that can persist for months before detection.

Practical Steps for Australian Organisations

The joint advisory includes a substantive list of recommended mitigations. Below is a prioritised interpretation focused on Australian SMBs — not enterprise security teams with dedicated SOCs, but businesses that run Microsoft 365, have a handful of IT staff, and manage freight or supply chain operations.

Patch Outlook immediately. CVE-2023-23397 has been patched by Microsoft, but it requires applying the relevant Cumulative Update and, in some configurations, setting a registry key to disable automatic NTLM authentication to external paths. If you are running an on-premises Exchange environment or using Outlook on unmanaged devices, verify that the patch has been applied. Microsoft's Security Response Center guidance is the authoritative reference.

Update or replace WinRAR. CVE-2023-38831 was patched in WinRAR version 6.23. Many organisations do not have WinRAR in their software inventory at all — it may be installed by individual staff members without IT oversight. Run an asset scan to identify installations and ensure the version is current, or consider replacing WinRAR with a managed alternative that receives automatic updates.

Enable multi-factor authentication on all accounts, without exception. The advisory's credential theft techniques — NTLM hash capture, spearphishing for passwords, Roundcube exploitation — all become significantly harder to monetise when MFA is enforced. Hardware keys (FIDO2) are the gold standard, but even app-based TOTP MFA dramatically raises the cost of intrusion. Priority accounts: email, VPN, cloud management consoles, and any ERP or logistics platform with external access.

Audit Exchange Online mailbox permissions. GRU operators specifically abuse delegated mailbox permissions to maintain persistent email access. In Microsoft 365, open the Exchange Admin Centre and review any FullAccess or SendAs delegation rules that you did not explicitly configure. Automated tooling like Microsoft Secure Score can surface anomalous permission changes.

Encrypt remote access sessions. APT28's NTLM hash capture and credential relay attacks are most effective against unencrypted or weakly protected network sessions — particularly on shared or public networks where traffic can be intercepted. Remote workers accessing logistics systems from hotels, airports, or co-working spaces are exposed. A business VPN encrypts all traffic between the device and the corporate network, preventing NTLM relay and man-in-the-middle credential interception. NordVPN's business tier provides encrypted tunnelling with a no-logs policy and operates outside Australia's mandatory data retention regime — relevant for staff handling commercially sensitive logistics data on the road. This does not make you immune to phishing, but it removes one of the attack vectors Unit 26165 relies on.

Block outbound NTLM and SMB connections to external IPs. The advisory specifically recommends blocking outbound SMB (TCP 445) and NTLM authentication to external infrastructure at the firewall level. This is a targeted mitigation for the CVE-2023-23397 style attack and should be implementable in most business-grade firewalls without disrupting normal operations.

The Bigger Picture: APT28 Is Not Going Away

GRU Unit 26165 has been active since at least 2007. It has been attributed to the 2016 Democratic National Committee breach, the 2017 French presidential election interference, the 2018 OPCW attack in The Hague, and dozens of other high-profile intrusions across two decades. The logistics campaign described in this advisory is not an anomaly — it is a continuation of persistent, state-directed intelligence collection.

What has changed in 2025 and 2026 is the scope. Previous APT28 campaigns focused heavily on political parties, government ministries, and defence contractors. The expansion into commercial logistics reflects a strategic calculation: understanding the flow of goods — particularly military and humanitarian aid — has direct tactical value for Russian military planners. Surveillance cameras at border crossings are not a cybersecurity afterthought; they are a deliberate intelligence collection method that bridges the digital and physical worlds.

For Australian businesses, the policy context matters too. The Australian Government introduced mandatory ransomware reporting in June 2025, requiring businesses with annual turnover above $3 million to report ransomware incidents to the ACSC within 72 hours. While GRU Unit 26165's current campaign appears focused on espionage rather than ransomware, the same access methods — compromised credentials, persistent mailbox rules, lateral movement — could trivially pivot to ransomware deployment. An organisation that detects a GRU intrusion late may face both a data theft and a ransomware event, triggering reporting obligations under the new regime.

The ACSC's Essential Eight framework provides the clearest roadmap for SMBs. The mitigations most directly applicable to the APT28 threat model are:

Patch applications — addressing CVE-2023-23397 (Outlook) and CVE-2023-38831 (WinRAR) within 48 hours of patch release for internet-facing systems
Multi-factor authentication — enforced for all remote access, not just privileged accounts
Restrict administrative privileges — limiting which accounts can delegate mailbox permissions in Exchange
Application control — preventing tools like Impacket and Certipy from executing on endpoints where they have no legitimate business purpose

The advisory recommends subscribing to ACSC alerts directly at cyber.gov.au/about-us/register. Australian businesses in logistics, transport technology, and supply chain management should treat this subscription as a minimum baseline — the advisory updates are free, timely, and directly actionable.

For staff who travel internationally or work from shared networks, encrypting all network traffic is a straightforward baseline control. NordVPN provides a starting point for individuals; organisations with larger teams should evaluate dedicated business VPN or Zero Trust Network Access (ZTNA) solutions that integrate with identity providers. Either way, leaving remote sessions unencrypted in 2026 — particularly when an advisory as explicit as this one is in the public domain — is a risk that is hard to justify.

The joint advisory from ACSC, CISA, and 13 other agencies is not a prediction. It is a description of an active campaign, with real organisations already compromised. The question for Australian logistics and tech businesses is not whether they are a theoretically interesting target — it is whether their current controls are sufficient to make intrusion costly enough that GRU operators move on to an easier mark.