By Christy Lynch
This post summarizes the CISA advisory issued on May 21, 2025 and offers some additional recommendations from Reveal Security based on similar and recently observed attack patterns targeting SaaS applications and cloud infrastructure.
Reveal Security monitors the overall cyber landscape for unique threats that can evade legacy detection methodologies. This APT28 espionage campaign continues post-authentication (see Post-Compromise TTPs), where so many tools lose visibility. Our unique post-authentication approach adds a critical line of defense against this APT and any similar credential theft attack vector.
On May 21, 2025, a joint cybersecurity advisory (CSA) was issued by 11 allied nations and 21 intelligence agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.K. National Cyber Security Centre (NCSC), and counterparts from Germany, France, Canada, and others. The advisory details an ongoing cyber espionage campaign by Russia’s GRU Unit 26165 – commonly known as APT28 or Fancy Bear – targeting Western logistics and technology firms supporting Ukraine.
Overview of the Campaign
APT28 has been conducting a widespread cyber espionage campaign against logistics and technology companies across NATO member states, Ukraine, and other allied nations. The campaign is intended to collect intelligence on the coordination, transport, and delivery of foreign aid and military support to Ukraine. Primary targets include entities involved in air, sea, and rail logistics, as well as the technology partners that enable these operations.
The group’s tactics extend beyond traditional digital intrusions. APT28 has reportedly accessed legitimate municipal traffic cameras and private surveillance systems near strategic locations, such as border crossings, military bases, and rail hubs, to observe the physical movement of resources. Additionally, reconnaissance was carried out against at least one company involved in producing industrial control components for rail operations – suggesting a multi-vector approach blending physical and cyber intelligence gathering.
Tactics, Techniques, and Procedures (TTPs) Related to Identities
APT28 has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including credential guessing/brute force, spearphishing, and modification of Microsoft Exchange mailbox permissions, and several others.
Identity abuse via credential exploitation is foundational to this campaign, allowing the threat actors to impersonate users, bypass traditional access controls, and operate within compromised environments with high stealth. Once inside, APT28 conducted further reconnaissance to identify individuals in sensitive roles, such as cybersecurity personnel or employees coordinating logistics. This intelligence enabled them to tailor their operations, expand access, and avoid detection.
Though these techniques are not novel, they continue to prove effective – especially when organizations lack adequate visibility into post-authentication identity behavior.
For the complete list of techniques observed in this campaign, refer to CISA Advisory AA25-141A.
CISA’s Recommendations for Defenders
CISA recommends that leaders and defenders at logistics and technology companies take the following immediate actions:
“Recognize the elevated threat of APT28 cyber operations and increase monitoring and threat hunting for APT28 activity, particularly TTPs and known indicators of compromise (IOCs). Posture network defenses with a presumption of targeting by APT28.”
– CISA Advisory AA25-141A
This call to action underscores the need for a more proactive, threat-informed defense posture that anticipates compromise rather than waiting for indicators to surface.
Reveal Security’s Recommendations
Reveal Security fully supports the guidance issued in the joint advisory and offers the following additional considerations based on observed attack patterns and current defense gaps.
While breach reporting still often centers around “networks,” “access,” and “known IOCs,” it’s time for defenders to broaden their scope to include their full operational environment – especially cloud infrastructure and SaaS ecosystems. The CISA advisory specifically highlights the exploitation of Microsoft Exchange email permissions. In other organizations, that same technique could just as easily target Gmail, Microsoft 365, or another SaaS platform.
We recommend the following proactive actions:
- Expand Focus Beyond Traditional Network Perimeters
Modern attackers frequently bypass perimeter defenses by targeting cloud infrastructure and SaaS platforms. Defense strategies must evolve to treat these assets as first-tier components requiring continuous monitoring and threat detection. - Gain Visibility into Critical SaaS Apps and Cloud Infrastructure
Losing visibility after authentication is no longer acceptable. Organizations must be able to detect ‘low and slow’ attacks that have already exploited valid credentials and bypassed preventative identity controls. - Evaluate Approaches to Detecting Novel Threats
IOC-based monitoring remains important, but so is the ability to identify threats that haven’t been seen before. Security teams need the tools and telemetry to surface risks in SaaS applications and cloud environments that may not match a known signature. - Extend Your Security Program to Include Post-Authentication Behavioral Analytics
Reveal Security recommends implementing behavioral analytics that can accurately detect novel, anomalous activity across a broad range of SaaS and cloud platforms. These capabilities provide deeper insight into both pre- and post-authentication identity behavior that is critical for identifying threats that traditional defenses routinely miss.
APT28’s methods make clear how easily attackers can blend into legitimate workflows once they’ve obtained valid credentials. Behavioral analytics across SaaS applications and cloud infrastructure is essential for detecting and responding to these in-progress campaigns before they escalate.
For further technical details, indicators of compromise, and detection guidance, consult the full CISA Advisory AA25-141A.
To learn more about Reveal Security’s identity behavior analytics solution for SaaS and cloud infrastructure, visit our platform page.
