Key Findings

• Russia has intensified cyber operations in recent months, carried out by various state-sponsored actors
• A collaboration between the intelligence services of 11 Western countries has brought to light the targeted attacks against companies involved in logistics and aid for Ukraine
• Most of the attacks observed have been linked to the GRU Unit 26165, also known as Fancy Bear or APT28
• The cyberattacks provide Russia with real-time intelligence to sabotage or destroy material seen as an obstacle to Russian war efforts
• The cyber campaign not only aims at espionage, but also to obtain data from various sources that provide a bigger picture of ammunition and weapon systems going to the frontline
• The vast amount of data collected from various sources and likely analyzed automatically by AI, and the variety of combined measures deployed, are at a level unseen before
• By creating backdoors in Western digital systems, Russia applies the tactic of “Prepositioning”, intending to further escalate at a later stage if needed
• It is unlikely that Russia will stop its cyber campaign and the use of hybrid means; it will rather rely more so on them, the less progress they make on the ground
• Private sector actors and NGOs need to share information more actively within their sectors and in Situation Reports, not only focusing on “traditional” security concerns

Summary

In recent months, Russian state-sponsored cyber operations have intensified against logistics, tech, and infrastructure firms aiding Ukraine’s defense. Western intelligence agencies have issued coordinated alerts detailing espionage campaigns led by Advanced Persistent Threats (APT) linked to Russia, including GRU Unit 26165 (also known as Fancy Bear or APT28). These attacks specifically target firms involved in logistics in Ukraine — such as aid delivery, tracking shipments, and supporting the military or humanitarian operations — and reflect a shift in digital warfare, directly linking private sector logistics roles to geopolitical conflict.

Understanding this hybrid threat model is essential for private and nonprofit actors to better anticipate, mitigate, and adapt to Russia’s increasingly aggressive digital strategy to support its military objectives. It is widely recognized that Russia is “prepositioning” itself by installing backdoors so it can escalate immediately should it see the need to do so at any point. It is clear that Russia is planning long-term and intends to weaken Western support for Ukraine.