Recent intelligence from Western officials confirms a disturbing escalation in the cyber hybrid warfare landscape: Russian intelligence services (FSB, GRU, SVR) are aggressively bypassing sanctions to acquire Western dual-use technology. This is not opportunistic crime; it is a strategic, state-sponsored campaign targeting semiconductor manufacturers, electronics suppliers, and defense contractors.
The objective is clear: procure restricted technologies—ranging from advanced microelectronics to UAV components—via a network of fake companies, compromised intermediaries, and cyber espionage. These components are subsequently weaponized to support the war in Ukraine and potential attacks on Western critical infrastructure. For defenders, this signifies a heightened threat environment where supply chain entities are now the primary battlefield. If your organization possesses intellectual property (IP) related to electronics, semiconductors, or industrial control systems, you are a target.
Technical Analysis
Affected Assets & Platforms: This campaign targets the intellectual property and logistical data of organizations involved in the design, manufacturing, or distribution of:
- Semiconductors and microcontrollers
- Field-Programmable Gate Arrays (FPGAs)
- Industrial Control Systems (ICS)/SCADA components
- Aerospace and defense electronics
Threat Actors & TTPs: The activity is attributed to Russian APT groups, specifically factions associated with APT29 (Cozy Bear) and Sandworm (GRU), utilizing TTPs mapped to MITRE ATT&CK:
- Initial Access: Spear-phishing targeting procurement officers and engineers (T1566), combined with the exploitation of vulnerabilities in external-facing web services (T1190).
- Collection: Theft of technical schematics, Bill of Materials (BOM), Gerber files, and source code (T1005).
- Resource Development: Creation of shell companies to facilitate the illicit purchase of restricted hardware (T1584).
Exploitation Status: Intelligence indicates active exploitation. These operatives are currently "in the wild," utilizing both cyber intrusions to steal design data and non-technical tradecraft (middlemen recruitment) to physically acquire hardware. The CISA KEV catalog does not list a specific CVE for this campaign, but the actors are known to exploit known vulnerabilities in VPNs and email gateways to gain initial access for espionage purposes.
Detection & Response
Defending against this requires a shift from vulnerability-centric monitoring to data-centric and behavior-centric detection. We must identify the exfiltration of technical designs and the anomalous access to sensitive repositories.
Sigma Rules
The following Sigma rules focus on detecting the collection of high-value engineering files and anomalous command-line activity often associated with data staging for exfiltration.
---
title: Suspicious Access to Sensitive Engineering Design Files
id: 8a2f4c1d-9e3b-4a5c-8f1d-2e3a4b5c6d7e
status: experimental
description: Detects processes accessing or copying file extensions associated with semiconductor and PCB design (.gds, .brd, .sch, .cad), which are high-priority targets for Russian espionage.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2025/04/09
tags:
- attack.collection
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|endswith:
- '.gds'
- '.gdsii'
- '.brd'
- '.sch'
- '.pcb'
- '.sldprt'
- '.sldasm'
- '.dxf'
- '.dwg'
condition: selection
falsepositives:
- Legitimate engineering work and backup processes
level: high
---
title: Potential Data Staging for Exfiltration via Archive Tools
id: 9b3e5d2e-0f4c-5d6e-9e2f-3f4a5b6c7d8f
status: experimental
description: Detects usage of archiving tools (7-Zip, WinRAR) with high compression or spanning flags in directories containing engineering data, indicative of staging large technical data sets for theft.
references:
- https://attack.mitre.org/techniques/T1560/
author: Security Arsenal
date: 2025/04/09
tags:
- attack.exfiltration
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_archiver:
Image|endswith:
- '\7z.exe'
- '\winrar.exe'
- '\zip.exe'
selection_params:
CommandLine|contains:
- '-a' # Archive mode
- '-m0' # Compression method
- '-v' # Volumes (splitting)
condition: all of selection_*
falsepositives:
- Administrative backups
level: medium
KQL (Microsoft Sentinel / Defender)
This KQL hunt correlates process execution events involving file archiving with network connections to non-corporate IP ranges, specifically looking for the sequence of staging technical data followed by network egress.
let EngineeringExtensions = dynamic(['.gds', '.brd', '.sch', '.pcb', '.sldprt', '.gerber']);
// Hunt for processes interacting with sensitive engineering files
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any(EngineeringExtensions)
or ProcessVersionInfoOriginalFileName in ('explorer.exe', 'cmd.exe') // Generic accessors often used in scripts
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, Timestamp
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (443, 80) or RemotePort >= 1024 // Potential HTTP/HTTPS exfil or custom ports
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count(), RemoteIPs = make_set(RemoteIP) by DeviceName, bin(Timestamp, 1h)
) on DeviceName
| where Timestamp between (min_Timestamp - 1h) .. (max_Timestamp + 1h)
| project-reorder Timestamp, DeviceName, AccountName, ProcessCommandLine, ConnectionCount, RemoteIPs
Velociraptor VQL
This artifact hunts for the presence of specific sensitive file types on user workstations and identifies recent modifications, which may indicate data theft or unauthorized access.
-- Hunt for sensitive engineering design files modified recently
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='/**/*.gds', root=('/Users/*', '/home/*'))
WHERE Mtime > now() - 7d
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='/**/*.brd', root=('/Users/*', '/home/*'))
WHERE Mtime > now() - 7d
-- Check for processes associated with archiving tools
SELECT Pid, Name, Exe, CommandLine, StartTime
FROM pslist()
WHERE Name =~ '7z' OR Name =~ 'zip' OR Name =~ 'tar'
Remediation Script (PowerShell)
This script performs a rapid audit of Access Control Lists (ACLs) on directories commonly used to store engineering IP, ensuring that only authorized groups have access.
# Audit ACLs on sensitive directories
$SensitivePaths = @(
"C:\Projects\Electronics",
"D\Engineering\Schematics",
"\\FileServer01\CAD_Library"
)
$AuthorizedGroups = @("Domain Admins", "Engineering_SG", "R&D_Leads")
Write-Host "[+] Starting ACL Audit for Engineering IP..." -ForegroundColor Cyan
foreach ($Path in $SensitivePaths) {
if (Test-Path $Path) {
Write-Host "[+] Scanning: $Path" -ForegroundColor Yellow
try {
$Acl = Get-Acl -Path $Path
$Access = $Acl.Access | Where-Object { $_.IsInherited -eq $false -and $_.AccessControlType -eq 'Allow' }
foreach ($Ace in $Access) {
$IdentityRef = $Ace.IdentityReference.Value
$IsAuthorized = $false
foreach ($Group in $AuthorizedGroups) {
if ($IdentityRef -like "*$Group*") {
$IsAuthorized = $true
break
}
}
if (-not $IsAuthorized) {
Write-Host "[!] UNAUTHORIZED ACCESS FOUND: $IdentityRef has $($Ace.FileSystemRights) on $Path" -ForegroundColor Red
}
}
}
catch {
Write-Host "[-] Error accessing $Path : $_" -ForegroundColor Red
}
} else {
Write-Host "[-] Path not found: $Path" -ForegroundColor Gray
}
}
Write-Host "[+] Audit Complete." -ForegroundColor Green
Remediation
-
Strict Supply Chain Vetting: Implement a "Know Your Customer" (KYC) and "Know Your Supplier" (KYS) program. Cross-reference new procurement entities against sanctions lists (e.g., US Treasury OFAC, UK Consolidated List) using automated tools. Look for shell companies with vague business descriptions or registered addresses in high-risk jurisdictions.
-
Segmentation of Intellectual Property: Enforce strict network segmentation. Engineering workstations storing CAD/EDA data must be isolated from the general corporate network and the internet. Use Zero Trust principles to verify every access request to design repositories.
-
Data Loss Prevention (DLP): Deploy precise DLP rules targeting file hashes and keywords associated with proprietary semiconductor designs and schematics. Block external uploads to personal cloud storage and unauthorized USB devices.
-
Insider Threat Monitoring: The article explicitly mentions "recruiting middlemen." Increase monitoring of privileged accounts, specifically those with access to BOMs and shipping manifests. Look for anomalous access patterns, such as access during non-business hours or bulk data exports by procurement staff.
-
Patch External Gateways: While the threat is espionage-centric, the initial access often relies on unpatched VPNs or email gateways. Ensure all external-facing infrastructure is patched against the latest CVEs (specifically focusing on Palo Alto Networks, Fortinet, and Cisco vulnerabilities frequently exploited by APT29).
Related Resources
Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.