Russian GRU Targeting Western Logistics Entities and Technology Companies

    Wednesday, August 20, 2025 In: Threat Research Print

    Date: 08/20/2025

    Severity: High

    Summary

    A Russian state-sponsored cyber campaign has been targeting Western logistics and technology companies, particularly those supporting the coordination, transportation, and delivery of foreign aid to Ukraine. Since 2022, these sectors have faced heightened threats from the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), also known as military unit 26165—identified in the cybersecurity community under various aliases. This cyber espionage campaign leverages a combination of previously known tactics, techniques, and procedures (TTPs). The involved agencies anticipate continued targeting of similar entities using the same methods.

    Indicators of Compromise (IOC) List

    Email Addresses : 

    md-shoeb@alfathdoor.com.sa

    jayam@wizzsolutions.com

    accounts@regencyservice.in

    m.salim@tsc-me.com

    vikram.anand@4ginfosource.com

    mdelafuente@ukwwfze.com

    sarah@cosmicgold469.co.za

    franch1.lanka@bplanka.com

    commerical@vanadrink.com

    maint@goldenloaduae.com

    karina@bhpcapital.com

    tv@coastalareabank.com

    ashoke.kumar@hbclife.in

    Domains\URLs :

    portugalmail.pt

    mail-online.dk

    email.cz

    seznam.cz

    IP Address : 

    213.32.252.221

    124.168.91.178

    194.126.178.8

    159.196.128.120

    192.162.174.94

    207.244.71.84

    31.135.199.145

    79.184.25.198

    91.149.253.204

    103.97.203.29

    162.210.194.2

    31.42.4.138

    79.185.5.142

    91.149.254.75

    209.14.71.127

    46.112.70.252

    83.10.46.174

    91.149.255.122

    109.95.151.207

    46.248.185.236

    83.168.66.145

    91.149.255.19

    64.176.67.117

    83.168.78.27

    91.149.255.195

    64.176.69.196

    83.168.78.31

    91.221.88.76

    64.176.70.18

    83.168.78.55

    93.105.185.139

    64.176.70.238

    83.23.130.49

    95.215.76.209

    64.176.71.201

    83.29.138.115

    138.199.59.43

    70.34.242.220

    89.64.70.69

    147.135.209.245

    70.34.243.226

    90.156.4.204

    178.235.191.182

    70.34.244.100

    91.149.202.215

    178.37.97.243

    70.34.245.215

    91.149.203.73

    185.234.235.69

    70.34.252.168

    91.149.219.158

    192.162.174.67

    70.34.252.186

    91.149.219.23

    194.187.180.20

    70.34.252.222

    91.149.223.130

    212.127.78.170

    70.34.253.13

    91.149.253.118

    213.134.184.167

    70.34.253.247

    91.149.253.198

    70.34.254.245

    91.149.253.20

    Filenames : 

    calc.war.zip

    news_week_6.zip

    Roadmap.zip

    SEDE-PV-2023-10-09-1_EN.zip

    war.zip

    Zeyilname.zip

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Email Addresses : 

    sender like "md-shoeb@alfathdoor.com.sa" or senderdomain like "md-shoeb@alfathdoor.com.sa" or sender like "jayam@wizzsolutions.com" or senderdomain like "jayam@wizzsolutions.com" or sender like "accounts@regencyservice.in" or senderdomain like "accounts@regencyservice.in" or sender like "m.salim@tsc-me.com" or senderdomain like "m.salim@tsc-me.com" or sender like "vikram.anand@4ginfosource.com" or senderdomain like "vikram.anand@4ginfosource.com" or sender like "mdelafuente@ukwwfze.com" or senderdomain like "mdelafuente@ukwwfze.com" or sender like "sarah@cosmicgold469.co.za" or senderdomain like "sarah@cosmicgold469.co.za" or sender like "franch1.lanka@bplanka.com" or senderdomain like "franch1.lanka@bplanka.com" or sender like "commerical@vanadrink.com" or senderdomain like "commerical@vanadrink.com" or sender like "maint@goldenloaduae.com" or senderdomain like "maint@goldenloaduae.com" or sender like "karina@bhpcapital.com" or senderdomain like "karina@bhpcapital.com" or sender like "tv@coastalareabank.com" or senderdomain like "tv@coastalareabank.com" or sender like "ashoke.kumar@hbclife.in" or senderdomain like "ashoke.kumar@hbclife.in"

    Domains\URLs : 

    domainname like "portugalmail.pt" or url like "portugalmail.pt" or siteurl like "portugalmail.pt" or domainname like "mail-online.dk" or url like "mail-online.dk" or siteurl like "mail-online.dk" or domainname like "email.cz" or url like "email.cz" or siteurl like "email.cz" or domainname like "seznam.cz" or url like "seznam.cz" or siteurl like "seznam.cz" 

    IP Address : 

    dstipaddress IN ("91.149.255.19","103.97.203.29","207.244.71.84","83.23.130.49","91.149.253.204","70.34.252.222","91.149.255.122","178.37.97.243","91.149.253.118","147.135.209.245","91.149.202.215","70.34.244.100","83.168.78.31","83.10.46.174","95.215.76.209","178.235.191.182","91.149.223.130","213.32.252.221","70.34.253.247","70.34.252.168","46.248.185.236","138.199.59.43","213.134.184.167","89.64.70.69","209.14.71.127","64.176.70.18","46.112.70.252","194.187.180.20","185.234.235.69","91.149.219.158","159.196.128.120","194.126.178.8","64.176.69.196","192.162.174.94","192.162.174.67","124.168.91.178","31.42.4.138","64.176.67.117","64.176.71.201","64.176.70.238","91.221.88.76","70.34.242.220","91.149.219.23","162.210.194.2","91.149.253.198","83.168.66.145","31.135.199.145","79.184.25.198","79.185.5.142","91.149.254.75","109.95.151.207","83.168.78.27","91.149.255.195","83.168.78.55","93.105.185.139","83.29.138.115","70.34.243.226","90.156.4.204","70.34.245.215","91.149.203.73","70.34.252.186","212.127.78.170","70.34.253.13","70.34.254.245","91.149.253.20") or srcipaddress IN ("91.149.255.19","103.97.203.29","207.244.71.84","83.23.130.49","91.149.253.204","70.34.252.222","91.149.255.122","178.37.97.243","91.149.253.118","147.135.209.245","91.149.202.215","70.34.244.100","83.168.78.31","83.10.46.174","95.215.76.209","178.235.191.182","91.149.223.130","213.32.252.221","70.34.253.247","70.34.252.168","46.248.185.236","138.199.59.43","213.134.184.167","89.64.70.69","209.14.71.127","64.176.70.18","46.112.70.252","194.187.180.20","185.234.235.69","91.149.219.158","159.196.128.120","194.126.178.8","64.176.69.196","192.162.174.94","192.162.174.67","124.168.91.178","31.42.4.138","64.176.67.117","64.176.71.201","64.176.70.238","91.221.88.76","70.34.242.220","91.149.219.23","162.210.194.2","91.149.253.198","83.168.66.145","31.135.199.145","79.184.25.198","79.185.5.142","91.149.254.75","109.95.151.207","83.168.78.27","91.149.255.195","83.168.78.55","93.105.185.139","83.29.138.115","70.34.243.226","90.156.4.204","70.34.245.215","91.149.203.73","70.34.252.186","212.127.78.170","70.34.253.13","70.34.254.245","91.149.253.20")

    Detection Query :

    resourcename = "Windows Security" and eventtype = "4663" and fileobjectname In ( "calc.war.zip","news_week_6.zip","Roadmap.zip","SEDE-PV-2023-10-09-1_EN.zip","war.zip","Zeyilname.zip" )

    Detection Query :

    technologygroup = "EDR" and fileobjectname In ( "calc.war.zip","news_week_6.zip","Roadmap.zip","SEDE-PV-2023-10-09-1_EN.zip","war.zip","Zeyilname.zip")

    Reference:    

    https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF 


    Tags

    Information TechnologyTransportation SystemsThreat ActorRussian GRURussiaUkraine

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.