CISA Warns of Russian Espionage: Key Actions for At-Risk Organizations

The National Cybersecurity & Infrastructure Security Agency (CISA) along with partner organizations, published a joint advisory with partner organizations on May 21, 2025, detailing an ongoing cyber espionage campaign carried out by a Russian military unit. The group, known in cybersecurity circles as APT28, Fancy Bear, Forest Blizzard, and Blue Delta, has been actively targeting Western technology companies and logistic providers for over two years.

CISA urges executives and network defenders at targeted organizations, as well as private equity firms with investments in high-risk industries, to immediately increase monitoring and conduct proactive threat hunting. Organizations that rely on technology vendors and third-party IT service providers should verify that those vendors are aware of the threat and have taken appropriate steps to mitigate risk.

Common tactics, techniques, and procedures

Below is a non-exhaustive list of tactics, techniques, and procedures (TTPs) commonly employed by the Russian threat unit. Full details can be found in the CISA advisory.

Initial access

• Credential guessing/brute force:
  • The threat actors frequently used Tor and VPNs to avoid detection.
• Spear phishing:
  • Phishing emails sent from compromised accounts targeted individual users with links to fake login pages impersonating government entities and cloud email providers. Redirectors were used to bypass multifactor authentication (MFA) and CAPTCHA relaying.
• Vulnerability exploitation:
  • Outlook NTLM vulnerability (CVE-2023-23397) was exploited to collect NTLM hashes and credentials.
  • Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) were used to access victims’ email accounts and extract sensitive data.
  • WinRAR vulnerability (CVE-2023-38831) was used as a means of initial access.

Post-compromise activity

• Reconnaissance:
  • Threat actors collected contact and role-based information to identify key personnel, transportation coordinators, third-party collaborators, and cybersecurity team members.
• Lateral movement:
  • Open-source tools like Impacket and PsExec, along with Remote Desktop Protocol were used to move through networks.
• Malware:
  • The campaign involved the use of malware such as HEADLACE, MASEPIE, OCEANMAP, and STEELHOOK to establish persistence and exfiltrate data.
• Persistence:
  • Techniques included mailbox permissions abuse, scheduled tasks, malicious shortcuts, and run keys modifications.
• Exfiltration
  • Threat actors used different exfiltration methods according to compromised environments.
  • PowerShell scripts prepared data for extraction using APIs and legitimate server protocols.

Immediate risk mitigation actions

CISA highlights the following priority actions. The full list is available in the published advisory.

Architecture and configuration

• Network segmentation and zero-trust:
  • Companies should employ proper network segmentation and restrictions to minimize opportunities for lateral movement.
  • Host firewalls and network security appliances should be configured to only allow legitimately needed data flows between devices and servers.
• Logging and alerts:
  • Use automated tools to monitor logs for anomalous behavior, including unexpected log clearing.
  • Firewalls and network security appliances should be set up to alert unusual lateral traffic and suspicious NTLM/SMB activity.
  • Block logins from public VPNs or alert for investigation.
• Detection and response:
  • Deploy and maintain Endpoint Detection and Response (EDR) and other monitoring tools across all systems.

Identity and access management

• Authentication:
  • Implement strong MFA factors, such as passkeys or PKI smartcards and require regular re-authentication.
  • Eliminate password reuse and check against known-compromised credentials.
  • Organizations should remove and update any passwords stored in group folders.
  • Replace default credentials and disable weak authentication protocols.
• Privileged accounts
  • Enforce strict controls on administrative access.
  • Require hardware-based MFA.
  • Segment admin roles and monitor usage with alerting.

What you can do – and how ACA can help

Organizations should act swiftly to assess exposure, validate vendor security measures, and implement CISA’s recommended mitigation steps. Delaying action increases the risk of compromise.

ACA’s cybersecurity and risk services can help you strengthen your defenses against phishing attacks and other destructive cybercrime tactics. Our ACA Vantage for Cyber solution provides ongoing visibility into portfolio company cyber health, giving you control to navigate risk, add value, and gain a competitive advantage.

For questions about this alert, or to find out more about our services, please reach out to your ACA consultant or contact us.