During the action day, authorities in both countries seized assets worth at least several millions euros, including apartments and companies, as well as various luxury vehicles. . Large amounts of cash and quantities of cocaine and heroin were also seized. A full and complete evaluation of the seizures will be carried out in the coming days.
No complete estimate of the total profits of the cooperation between the three OCGs is available. However, information obtained through the JIT shows that the criminal networks were involved in payments, often in cash, of close to EUR 5 million and the trafficking of at least 1 800 kilos of cocaine and heroin.
Investigations into the linked criminal organisations were initiated in 2016 by the Public Prosecutor’s Office of Bari and the Special Anti-Corruption and Organised Crime Prosecutor’s Office of Tirana and the Albanian Police. On the Albanian side, one OCG, which operated from Durres, was responsible for the transport and wholesale distribution of large quantities of cocaine, heroin and cannabis trafficked between the Balkans, Northern Europe, South America and Puglia in Italy.
Two Italian-led criminal gangs carried out the cutting and packaging of illicit drugs and supplied cocaine and heroin from Latin America and Turkey to local gangs in organisations in Bari, Brindisi and Lecce.
The arrests in Italy and Albania are the result of a long-term collaboration through the JIT. This involved the use of wiretaps, intensive video surveillance, the monitoring of suspects and the analysis of encrypted chats. These chats were decrypted following intensive cooperation through Eurojust.
Since 2020, Eurojust has supported the authorities in Italy and Albania with the JIT. Furthermore, the Agency provided assistance with the execution of requests for Mutual Legal Assistance during the action day and gave cross-border judicial support. Albania is one of the twelve countries outside the European Union with a Liaison Prosecutor at Eurojust. The investigations were also coordinated and supported by the office of the dedicated security expert at the Italian Embassy in Tirana.
The judicial cooperation between Italy and Albania has already proven effective in recent years. Between 2018 and 2021, the Anti-Mafia Investigation Directorate of Bari issued and executed 118 arrest warrants against alleged drug traffickers operating in both countries. As a result, various defendants were sentenced up to 20 years imprisonment.
This week’s operation was carried out at the request of and by the following authorities:
Italy: Public Prosecutor’s Office Bari – District Anti-Mafia Directorate; Anti-Mafia Investigation Directorate Bari, under the coordination of the National Anti-Mafia and Anti-Terrorism Directorate Rome, with support of the Office of the Security Expert at the Italian Embassy in Tirana
Albania: Special Anti-Corruption and Organised Crime Prosecutor’s Office (SPAK) of Tirana; Albanian Police
As soon as snow melted from Russia’s Zabaykal’skiy Kray in mid-March 2025, satellites began detecting large numbers of wildland fires burning in the grasslands and forests surrounding Chita, the territory’s capital. Two months later, fires continued to rage around the city. The MODIS (Moderate Resolution Imaging Spectroradiometer) on NASA’s Aqua satellite captured this image of smoke streaming from multiple fires near Chita on May 19, 2025. The city, a stop along the Trans-Siberian Railway, has a population of about 350,000. News reports indicate that fires were active on the city’s outskirts on May 20 and were edging closer to the city center as firefighters worked amid dry, windy conditions. On May 20, 2025, Russia’s Aerial Protection Service reported 49 fires burning across nearly 700,000 hectares (2,700 square miles) in six regions of the country. Thirty-three fires were in Zabaykal’skiy (also called Transbaikal) and nine in Buryatiya, both of which border Mongolia. Russian officials reported deploying 2,700 personnel and 13 aircraft to fight the fires, including more than 1,000 paratroopers and airborne troops in Zabaykal’skiy. NASA Earth Observatory image by Michala Garrison, using MODIS data from NASA EOSDIS LANCE and GIBS/Worldview. Story by Adam Voiland.
In a first, researchers from NASA and Virginia Tech used satellite data to measure the height and speed of potentially hazardous flood waves traveling down U.S. rivers. The three waves they tracked were likely caused by extreme rainfall and by a loosened ice jam. While there is currently no database that compiles satellite data on river flood waves, the new study highlights the potential of space-based observations to aid hydrologists and engineers, especially those working in communities along river networks with limited flood control structures such as levees and flood gates. Unlike ocean waves, which are ordinarily driven by wind and tides, and roll to shore at a steady clip, river waves (also called flood or flow waves) are temporary surges stretching tens to hundreds of miles. Typically caused by rainfall or seasonal snowmelt, they are essential to shuttling nutrients and organisms down a river. But they can also pose hazards: Extreme river waves triggered by a prolonged downpour or dam break can produce floods. “Ocean waves are well known from surfing and sailing, but rivers are the arteries of the planet. We want to understand their dynamics,” said Cedric David, a hydrologist at NASA’s Jet Propulsion Laboratory in Southern California and a coauthor of a new study published May 14 in Geophysical Research Letters.
Measuring Speed and Size To search for river waves for her doctoral research, lead author Hana Thurman of Virginia Tech turned to a spacecraft launched in 2022. The SWOT (Surface Water and Ocean Topography) satellite is a collaboration between NASA and the French space agency CNES (Centre National d’Études Spatiales). It is surveying the height of nearly all of Earth’s surface waters, both fresh and salty, using its sensitive Ka-band Radar Interferometer (KaRIn). The instrument maps the elevation and width of water bodies by bouncing microwaves off the surface and timing how long the signal takes to return. “In addition to monitoring total storage of waters in lakes and rivers, we zoom in on dynamics and impacts of water movement and change,” said Nadya Vinogradova Shiffer, SWOT program scientist at NASA Headquarters in Washington. Thurman knew that SWOT has helped scientists track rising sea levels near the coast, spot tsunami slosh, and map the seafloor, but could she identify river height anomalies in the data indicating a wave on the move? She found that the mission had caught three clear examples of river waves, including one that arose abruptly on the Yellowstone River in Montana in April 2023. As the satellite passed overhead, it observed a 9.1-foot-tall (2.8-meter-tall) crest flowing toward the Missouri River in North Dakota. It was divided into a dramatic 6.8-mile-long (11-kilometer-long) peak followed by a more drawn‐out tail. These details are exciting to see from orbit and illustrate the KaRIn instrument’s uniquely high spatial resolution, Thurman said. Sleuthing through optical Sentinel-2 imagery of the area, she determined that the wave likely resulted from an ice jam breaking apart upstream and releasing pent-up water. The other two river waves that Thurman and the team found were triggered by rainfall runoff. One, spotted by SWOT starting on Jan. 25, 2024, on the Colorado River south of Austin, Texas, was associated with the largest flood of the year on that section of river. Measuring over 30 feet (9 meters) tall and 166 miles (267 kilometers) long, it traveled around 3.5 feet (1.07 meters) per second for over 250 miles (400 kilometers) before discharging into Matagorda Bay. The other wave originated on the Ocmulgee River near Macon, Georgia, in March 2024. Measuring over 20 feet (6 meters) tall and extending more than 100 miles (165 kilometers), it traveled about a foot (0.33 meters) per second for more than 124 miles (200 kilometers). “We’re learning more about the shape and speed of flow waves, and how they change along long stretches of river,” Thurman said. “That could help us answer questions like, how fast could a flood get here and is infrastructure at risk?” Complementary Observations Engineers and water managers measuring river waves have long relied on stream gauges, which record water height and estimate discharge at fixed points along a river. In the United States, stream gauge networks are maintained by agencies including the U.S. Geological Survey. They are sparser in other parts of the world. “Satellite data is complementary because it can help fill in the gaps,” said study supervisor George Allen, a hydrologist and remote sensing expert at Virginia Tech. If stream gauges are like toll booths clocking cars as they pass, SWOT is like a traffic helicopter taking snapshots of the highway. The wave speeds that SWOT helped determine were similar to those calculated using gauge data alone, Allen said, showing how the satellite could help monitor waves in river basins without gauges. Knowing where and why river waves develop can help scientists tracking changing flood patterns around the world. Orbiting Earth multiple times each day, SWOT is expected to observe some 55% of large-scale floods at some stage in their life cycle. “If we see something in the data, we can say something,” David said of SWOT’s potential to flag dangerous floods in the making. “For a long time, we’ve stood on the banks of our rivers, but we’ve never seen them like we are now.” More About SWOT The SWOT satellite was jointly developed by NASA and CNES, with contributions from the Canadian Space Agency (CSA) and the UK Space Agency. NASA’s Jet Propulsion Laboratory, managed for the agency by Caltech in Pasadena, California, leads the U.S. component of the project. For the flight system payload, NASA provided the Ka-band radar interferometer (KaRIn) instrument, a GPS science receiver, a laser retroreflector, a two-beam microwave radiometer, and NASA instrument operations. The Doppler Orbitography and Radioposition Integrated by Satellite system, the dual frequency Poseidon altimeter (developed by Thales Alenia Space), the KaRIn radio-frequency subsystem (together with Thales Alenia Space and with support from the UK Space Agency), the satellite platform, and ground operations were provided by CNES. The KaRIn high-power transmitter assembly was provided by CSA. News Media Contacts Jane J. Lee / Andrew WangJet Propulsion Laboratory, Pasadena, Calif.818-354-0307 / 626-379-6874Written by Sally Younger2025-074
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
News In Brief – Source: US Computer Emergency Readiness Team
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies.
This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of until 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. For more information on Russian state-sponsored threat actor activity, see CISA’s Russia Cyber Threat Overview and Advisories page.
The Schengen Borders Code[1] defines a border guard as ‘any public official assigned, in accordance with national law, to a border crossing point or along the border or the immediate vicinity of that border who carries out […] border control tasks’ . It follows that Member States have discretion in designating the public officials authorised to exercise the functions of border guards. In accordance with Article 39(1)(d) of the Schengen Borders Code, Member States are required to notify the Commission of the list of the national services responsible for border control.
As for Frontex, the European Border and Coast Guard ( EBCG) Regulation[2] clarifies that the EBCG shall implement European integrated border management as a shared responsibility of the Agency and of the national authorities responsible for border management, including coast guards, as well as the national authorities responsible for return. Member States retain primary responsibility for the management of their sections of the external borders. It remains the prerogative of the Member State to designate the responsible national authorities to cooperate with Frontex in the implementation of these tasks.
[1] Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code).
[2] Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624.
The Code of Practice on general-purpose artificial intelligence (AI) models will set out commitments to which providers of such models may voluntarily adhere to demonstrate compliance with the relevant provisions under the AI Act[1].
The AI Office has facilitated the drawing-up of the Code, with working groups chaired by independent experts involving nearly 1 000 stakeholders, Member States representatives, and observers. As the main addressees of the Code, general-purpose AI model providers are invited to dedicated workshops with the chairs and vice-chairs.
The European AI Office is supporting the appointed chairs and vice-chairs drafting a simple but effective Code at the current state of the art. An adequate Code, to be assessed by the AI Office and the AI Board, would cover the relevant obligations in the AI Act, without going beyond it. Signatories to the Code can benefit from reduced administrative burden and increased trust by the AI Office.
Moreover, the AI Act as a product safety legislation is designed to complement and facilitate[2] the EU data protection law, while avoiding overlaps. When both apply[3], market surveillance authorities should cooperate with authorities supervising fundamental rights legislation[4]. The Commission will issue guidelines on the interplay with other EU laws to ensure effective and consistent implementation across the EU[5].
The Commission aims to cooperate with the European Data Protection Board (EDPB) to help AI providers and deployers understand and comply with their obligations under both acts. The EDPB has adopted an opinion under the General Data Protection Regulation’s (GDPR) consistency mechanism, addressed to the data protection authorities, on the application of the GDPR to AI models[6], thereby seeking EU-wide harmonised application. The Commission has also proposed GDPR procedural rules regulation[7], which harmonises procedural rules in cross-border cases.
[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (AI Act), OJ L, 2024/1689.
[3] This is the case when personal data processing is involved in the development and use of AI systems subject to requirements under the AI Act. See Article 2(7) and Recital (10) AI Act.
[4] See authorities designated under Article 77 AI Act that includes data protection authorities.
[6] EDPB Opinion 28/2024, available at: https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-282024-certain-data-protection-aspects_en.
[7] Proposal for a regulation of the European Parliament and of the Council laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679, COM/2023/348 final. Currently under negotiation.
1. The Water Resilience Strategy will offer a comprehensive vision for water-related policies. It will build on the solid existing acquis and focus on how to better implement rules for sustainable freshwater management, including the Floods Directive[1] and marine protection. It aims to improve source-to-sea water governance and awareness, enhance prevention and preparedness across economic sectors and society, enhance access to information and funding, and boost innovation. This will increase the EU’s preparedness against rapid swings between weather extremes.
The Drinking Water Directive[2] mainly regulates the quality of drinking water by setting standards for certain pollutants and requires Member States to comply with them . The directive includes provisions on risk assessment and management, meaning that local authorities must monitor changes in source water quantity and quality due to drought or floods, and adjust treatment processes accordingly. The directive’s provisions on reducing water leakage levels, restrictions of use, derogations, access to water and information to the public could also prove relevant in case of ‘climate whiplashes’. Cities vulnerable to these phenomena may need to adapt local regulations[3] or introduce temporary measures[4] to maintain water quality.
The Commission has published guidance[5] and helps Member States through the EU Biodiversity Platform[6] and its sub-groups on the Nature Restoration Regulation[7] and on Green Infrastructure[8]. Moreover, nature-based solutions are being supported through the Water Sensitive City[9] thematic partnership under the European Urban Initiative[10], the Green Cities Accord[11] and the European Green Capital and Leaf Awards[12].
[1] Directive 2007/60/EC of the European Parliament and of the Council of 23 October 2007 on the assessment and management of flood, OJ L 288, 6.11.2007, p. 27-34.
[2] Directive (EU) 2020/2184 of the European Parliament and of the Council of 16 December 2020 on the quality of water intended for human consumption (recast), OJ L435, 23.12.2020, p.1-62.
Question for written answer E-001911/2025 to the Commission Rule 144 Thomas Bajada (S&D)
The recently announced New Pact for the Mediterranean, expected later this year, envisages building comprehensive partnerships focused on areas of mutual interest. New instruments would also require new financial backing.
In this regard, can the Commission clarify:
1.what the expected cost of the New Pact for the Mediterranean will be;
2.whether there will be new funding instruments to support its efficient and effective implementation;
3.whether there will be a prioritisation of funding, such as, but not limited to, enhancing areas of mutual interest that bring our southern neighbours closer to the EU at the diplomatic level?
Deliberations of the Committee on Petitions in 2023 Gheorghe Falcă (A10-0063/2025)
–
Amendments
Wednesday, 14 May 2025, 13:00
11
Amending Regulation (EU) 2023/956 as regards simplifying and strengthening the carbon border adjustment mechanism Antonio Decaro (A10-0085/2025)
–
Amendments; rejection
Monday, 19 May 2025, 13:00
8
Modification of customs duties applicable to imports of certain goods originating in or exported from the Russian Federation and the Republic of Belarus Inese Vaidere (A10-0087/2025)
–
Amendments; rejection
Monday, 19 May 2025, 13:00
27
Granting equivalence to Moldova and Ukraine for field inspections and seed production Veronika Vrecionová (A10-0043/2025)
–
Amendments; rejection
Wednesday, 14 May 2025, 13:00
28
Amendments to the Capital Requirements Regulation as regards securities financing transactions under the net stable funding ratio
Question for written answer E-001910/2025 to the Commission Rule 144 Thomas Bajada (S&D)
The recently announced New Pact for the Mediterranean, expected later this year, envisages working on building comprehensive partnerships focused on areas of mutual interest.
In this context, can the Commission outline how the new proposal for a new pact for the Mediterranean will offer added value over and above the mechanisms that are already in place?
Question for written answer E-001909/2025 to the Commission Rule 144 Thomas Bajada (S&D)
The recently announced New Pact for the Mediterranean is expected later this year. As specified in the mission letter for the Commissioner for the Mediterranean, Dubravka Šuica, the Pact should work on building comprehensive partnerships focused on areas of mutual interest within an integrated approach encompassing economic, humanitarian, development, peace and security policies.
In this context, can the Commission clarify:
1.how it intends to give a regional and comprehensive context to the upcoming pact; and
2.whether the planned partnerships will be built at a regional level, at least for particular sectors, rather than being narrowed down to bilateral agreements?
A delegation of eight Members of the Committee on Foreign Affairs (AFET), led by Chair David McAllister, will travel to Uruguay and Argentina from 26 to 29 May. Members will engage in high-level discussions regarding the EU-Mercosur Partnership Agreement which was concluded last December in Montevideo, Uruguay. The findings from this visit will contribute to the preparatory work for the consent procedure on the political and cooperation aspects of the Agreement, for which AFET is responsible.
More broadly, this mission will allow to exchange views on bilateral, regional and multilateral cooperation, as well as geopolitical issues such as Russia’s war of aggression against Ukraine, the situation in the Middle East, and China’s expanding influence in Latin America.
The Council has not discussed the possible inclusion of Mexican cartels on the list of persons, groups and entities covered by the measures in Article 2 and 3 of Common Position 2001/931/CFSP (‘CP 931’) .
The Council can, at any time, adopt a decision to add additional persons, groups, or entities to the above-mentioned list, or to remove persons, groups or entities from that list. The listing of a person, group or entity under CP 931 must satisfy the conditions laid down in Article 1(2) to 1(4) of that Common Position, which, inter alia, provides a definition of ‘terrorist act’ and ‘persons, groups and entities involved in terrorist acts’ for this purpose.
As regards the question on coordination with the United States on drug-related matters, EU-US cooperation on combatting transnational organised crime and drug trafficking is a central focus of the longstanding EU-US Dialogue on Justice and Home Affairs held at ministerial and senior official level twice a year. The EU and the United States also regularly hold an EU-US Dialogue on Drugs in order to exchange information, strengthen bilateral cooperation and enhance coordination of actions undertaken globally to address drug-related issues. The discussions in these meetings focus on reducing d rug supply by enhancing security, reducing drug demand through prevention, treatment and care services, and addressing drug-related harm, in line with the EU Drugs Strategy 2021-2025.
Pending its possible withdrawal by the Commission, the proposal referred to by the Honourable Member remains under discussion within the Council. Unanimity following the consent of the European Parliament would be required for the directive to be adopted by the Council. The Council is not in a position to foresee the outcome or the duration of the discussions.
The latest progress report is set out in 10817/24.
The LIBE Committee is pleased to announce two upcoming public hearings addressing critical threats to the European Union’s internal security, taking place on 4th of June.
The first hearing, “Organised Crime and its Impact on Internal Security“, will explore the growing complexity and cross-border nature of criminal networks, aiming to strengthen cooperation, legislative frameworks, and the protection of citizens’ rights. The second hearing will focus on online radicalisation, particularly the recruitment of children into organised crime and terrorism.
On 4 June, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) is organising a Public Hearing on “Organised Crime and its impact on Internal Security”. The hearing will aim to discuss the escalating complexity and transnational nature of criminal activities which are undermining the European Union’s security and the fundamental rights of its citizens.
This dedicated hearing will provide a crucial platform to assess emerging threats, enhance cross-border cooperation, and strengthen legislative frameworks. By bringing together policymakers, law enforcement agencies, prosecutors, academia and experts, the LIBE Committee can consider and assess coordinated strategies to safeguard the rule of law, protect citizens, and reaffirm the EU’s commitment to justice and internal security.
The hearing will be divided into two panels and will include Commissioner for Internal Affairs and Migration, Magnus Brunner, Europol Executive Director, Ms Catherine De Bolle and State Secretary to Minister for Justice of Sweden, Ms Charlotte Kugelberg. The Italian national anti-mafia prosecutor and a Professor of criminology, with expertise in the area of organised crime, are also invited to attend the Hearing.
Question for written answer E-001930/2025 to the Commission Rule 144 Krzysztof Brejza (PPE)
The recent electricity blackout in Spain and Portugal underscores the importance of reducing vulnerabilities and strengthening the resilience of critical energy infrastructure to ensure the uninterrupted provision of essential services. Energy systems are the backbone of the EU’s economy and society, and disruptions – especially in interconnected grids – can have significant cross-border impacts.
One of the priorities of the European internal security strategy (ProtectEU) is the protection of critical infrastructure, including energy interconnectors. The blackout raises important questions about current levels of preparedness and whether additional efforts are needed at EU level.
In the light of this:
1.How does the Commission assess the impact of the Iberian blackout on the implementation of ProtectEU’s critical infrastructure goals?
2.What measures are being considered to enhance the protection of energy infrastructure across the EU?
3.How will the Commission assess the implications of the Iberian blackout for the implementation of the Critical Entities Resilience Directive (Directive (EU) 2022/2557[1])?
Submitted: 14.5.2025
[1] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC, OJ L 333, 27.12.2022, p. 164, ELI: http://data.europa.eu/eli/dir/2022/2557/oj.
Question for written answer E-001879/2025 to the Commission Rule 144 Maria Zacharia (NI)
The recent seismic sequence in Santorini coincides with the sad 18-year anniversary of inactivity on the wreck of the ‘Sea Diamond’, which is hanging on a steep slope of the seabed at a depth of 120 metres and at risk of sliding and reaching a depth of 280 metres, with dramatic consequences for the island’s exceptionally beautiful natural environment.
The Commission has been aware of the situation since 2007(!) with colleagues’ oral and written questions nos E-2185/07,[1] E-2274/07,[2] H-0509/07,[3] E-5789/07,[4] E-1944/08,[5] H-0748/08,[6] E-5439/08,[7] E-6685/08,[8] E-4818/09,[9] H-0037/10,[10] E-002071/2011,[11] E-005420/2011,[12] E-003198/2012[13] and E-003650/2012.[14] It is also aware of the case law of the Court of Justice, according to which fuel on board a tanker becomes waste from the moment it leaks into the sea and, therefore, there is a breach of Directive 2006/12/EC on waste and in particular of Article 4 of the Directive, according to which Member States must take the necessary measures to prohibit the abandonment, dumping and uncontrolled disposal of waste.
The Commission, however, disputes the spillage of oil or other toxic waste into the sea, ignoring a study by the Department of Environmental Engineering of the Technical University of Crete from 2011, which has been communicated to it, as have the judicial expert opinions from 2019 and 2020.
Could the Commission justify its services’ decision not to take current scientific data into account?
Question for written answer E-001880/2025 to the Commission Rule 144 Per Clausen (The Left)
In its answer dated 15 March 2024 to a question (P-000460/2024(ASW))[1] the Commission stated the following: ‘In July 2021, the Commission launched infringement proceedings against 24 Member States for the non-conformity of their national measures with the Enforcement Directive on Posting of Workers.’. In response to the specific question that had been put, the Commission went on to state that it ‘will decide on the next steps in the coming months’.
It is now more than a year since that answer was given. Therefore:
1.Can the Commission now say what the state of play is with regard to letter of formal notice 2021/2057 of 26 January 2023 concerning Denmark’s transposition of Directive 2014/67/EU?
2.What assessment has the Commission made of ‘all replies and of all amending legislations notified to the Commission by Member States which have agreed in their replies to the letters of formal notice or reasoned opinions with all or some of the grievances raised by the Commission in these infringement proceedings’?
3.Can the Commission provide a full update on what the position now is as regards the 17 reasoned opinions referred to in the reply of 15 March 2024, including on which cases further action is being taken?
Question for written answer E-001893/2025 to the Commission Rule 144 Tiago Moreira de Sá (PfE), Hans Neuhoff (ESN), Filip Turek (PfE), Jorge Buxadé Villalba (PfE), Branko Grims (PPE), Dominik Tarczyński (ECR), Petr Bystron (ESN), Petar Volgin (ESN), Gheorghe Piperea (ECR), Stanislav Stoyanov (ESN), António Tânger Corrêa (PfE), Fernand Kartheiser (ECR), Petra Steger (PfE)
The Savings and Investments Union (SIU) is a new strategy by the Commission aimed at ‘directing savings towards productive investments’. Given the public information, which has never been denied, that the SIU could involve channelling citizens’ deposits, we would like to ask for the following clarifications:
1.Given that around EUR 10 trillion in low-yielding bank deposits could be transferred to higher-risk capital markets, how does the Commission intend to ensure that small savers and pensioners are not exposed to significant losses, and what concrete mechanisms will be implemented to prevent the marketing of high-risk investment products to these less informed citizens?
2.In view of the undisputed information about the possibility of the ‘confiscation’ of savings to finance the defence sector, what measures is the Commission taking to clarify the real objectives of the SIU? Can the Commission guarantee that citizens’ deposits will not be mobilised, even in emergency situations such as armed conflicts in the vicinity of the EU or new pandemics, and how will the Commission ensure that this strategy fully respects national and individual sovereignty?
Question for written answer E-001942/2025 to the Commission Rule 144 Kathleen Van Brempt (S&D), Wouter Beke (PPE), Johan Van Overtveldt (ECR)
Citribel, one of the last citric acid producers in the EU, finds itself in worrying circumstances because of Chinese exporters’ dumping practices. In spite of ongoing innovation and sustainability efforts, the plant risks having to shut down. That would not only have serious social consequences, but would also lead to greater strategic dependence on third countries for a product that is essential for, inter alia, the pharmaceutical sector.
Therefore:
1.Can the Commission say what the state of play is with regard to the ongoing market analysis and what specific follow-up action is planned?
2.What is the Commission’s assessment of the risk of strategic dependence on third countries for citric acid production within a broader industrial and health strategy context?
3.Given the urgency, does the Commission think it possible to speed up investigative action or provide for additional support measures to safeguard European production capacity?
Question for written answer E-001883/2025 to the Commission Rule 144 Giuseppe Antoci (The Left)
Recently, Salvatore Borsellino, the brother of the illustrious judge, Paolo Borsellino, who was killed by the Mafia, has spoken out against the restrictions that TikTok has placed on his account until 2035, preventing him from continuing to share content raising awareness of the fight against the Mafia and organised crime[1][2].
Such a curtailment of the freedom of expression is deeply troubling – all the more so considering that, in the meantime, many social media accounts are sharing content glorifying criminal acts and Mafia figures[3], not to mention inciting violence, without facing any censorship at all[4].
Since it is classified as a very large online platform, TikTok is subject to the most stringent rules under the Digital Services Act, including the requirement that it adapt its moderation processes in order to block online content inciting violence.
In light of the above:
1.What does the Commission make of this troubling state of affairs?
2.What further action could it take to ensure that platforms like TikTok monitor content properly and effectively, in accordance with the Digital Services Act, on the one hand protecting individuals’ freedom of expression while, on the other hand, promoting positive behavioural patterns and discouraging the posting of violent content?
Question for written answer E-001908/2025 to the Commission Rule 144 Anna Maria Cisint (PfE), Aldo Patriciello (PfE), Silvia Sardone (PfE), Isabella Tovaglieri (PfE), Roberto Vannacci (PfE)
In 2021, in response to China’s belt and road initiative, the Commission launched the global gateway strategy, with the aim of making up to EUR 300 billion available by 2027 to promote sustainable infrastructure in partner countries. To date, it remains unclear how much has actually been disbursed, what projects have started and whether changes have been made to the initial strategy.
In January 2024, within the framework of the EU-Central Asia Forum, a joint pledge of EUR 10 billion was made with a view to developing the Trans-Caspian International Transport Route (TITR), a strategic corridor connecting Europe with Central Asia and avoiding Russian territory.
In the light of the above:
1.How much of the EUR 300 billion goal has actually been disbursed to date?
2.Has the plan moved on from what was set out in the original strategy (in geographical, sectoral or partnership terms)?
3.Are further investments along the TITR corridor planned? If so, what funds will be used, what will the time frame be and who will be involved?
Question for written answer E-001902/2025 to the Commission Rule 144 Dolors Montserrat (PPE)
The reply to questions E-000571/2025, E-000570/2025, E-000572/2025 and E-000573/2025[1] on the use of the Recovery and Resilience Facility (RRF) by RTVE only makes reference to a digital training project and defers its assessment to a later date. Taking account of the results of the European Court of Auditors’ report on the RRF, which identifies structural weaknesses that need to be addressed if a performance-based funding model is to be consolidated:
1.How does the Commission intend to ensure that Recovery and Resilience Facility funds actually reach the final recipients, especially in countries such as Spain, where a lack of traceability, delays in implementation and poor assessment of the impact of the reforms financed have been identified?
2.How does it intend to prevent the opaque use of funds within RTVE, bearing in mind that this could open the door to bad practices, corruption or favouritism, thereby eroding public trust in the institutions?
VIENNA, Austria – May 21, 2025 – Today, Moody’s announced that it affirms the ratings of BAWAG P.S.K. and changed the outlook on the long-term deposit, senior unsecured, and long-term issuer ratings from stable to positive.
The positive outlook is a reflection of our to-be integrated recent acquisitions which show a steady business performance and could result in a sustainably improved financial profile.
David O’Leary, Chief Risk Officer of BAWAG Group, commented: “The change to a positive outlook is a testament to our strategy focused on sustainable growth, efficiency and maintaining a safe and secure balance sheet. While our strategy has been unchanged since 2012, with the recent acquisitions, our business profile with focus on DACH/NL region as well as Retail & SME had been enhanced. The improved outlook highlights the resilience and stability of our business, with increased profitability after our acquisitions.”
About BAWAG Group BAWAG Group AG is a publicly listed holding company headquartered in Vienna, Austria, serving our over 4 million retail, small business, corporate, real estate and public sector customers across Austria, Germany, Switzerland, Netherlands, Ireland, the United Kingdom, and the United States. The Group operates under various brands and across multiple channels offering comprehensive savings, payment, lending, leasing, investment, building society, factoring and insurance products and services. Our goal is to deliver simple, transparent, and affordable financial products and services that our customers need.
BAWAG Group’s Investor Relations website https://www.bawaggroup.com/ir contains further information, including financial and other information for investors.
Forward-looking statement This release contains “forward-looking statements” regarding the financial condition, results of operations, business plans and future performance of BAWAG Group. Words such as “anticipates,” “believes,” “estimates,” “expects,” “forecasts,” “intends,” “plans,” “projects,” “may,” “will,” “should,” “would,” “could” and other similar expressions are intended to identify these forward-looking statements. These forward-looking statements reflect management’s expectations as of the date hereof and are subject to risks and uncertainties that may cause actual results to differ materially from those projected. These risks and uncertainties include, but are not limited to, economic conditions, the regulatory environment, loan concentrations, vendors, employees, technology, competition, and interest rates. Readers are cautioned not to place undue reliance on the forward-looking statements as actual results may differ materially from the results predicted. Neither BAWAG Group nor any of its affiliates, advisors or representatives shall have any liability whatsoever (in negligence or otherwise) for any loss howsoever arising from any use of this report or its content or otherwise arising in connection with this document. This report does not constitute an offer or invitation to purchase or subscribe for any securities and neither it nor any part of it shall form the basis of or be relied upon in connection with any contract or commitment whatsoever. This statement is included for the express purpose of invoking “safe harbor provisions”.
Reporting to the meeting in her capacity as Chair of the Trade Negotiations Committee (TNC), the Director-General said that in recent meetings she had with leaders and ministers in Japan and the Republic of Korea, the issue of WTO reform “was front and centre” of the discussions.
“Prime Minister Ishiba (of Japan) and his ministers of trade, foreign affairs and finance, along with virtually every APEC minister that I met in Jeju, have bought into the idea that we must not waste a crisis, and that we need deep and thorough reform of the WTO if it is to remain relevant,” DG Okonjo-Iweala said.
“For a successful MC14, we must act here in Geneva to deliver a package of reform proposals for ministers to consider and bless at MC14,” she added. “Nothing short of this can reposition this organization in the way and form needed.”
The Director-General met with Prime Minister Ishiba and other senior Japanese government officials in Tokyo on 13 May and then attended a meeting of trade ministers from the Asia-Pacific Economic Cooperation (APEC) forum in Jeju, Republic of Korea, on 15-16 May.
At their 12th Ministerial Conference in 2022, WTO members for the first time agreed to undertake a comprehensive review of the WTO’s functions in order to ensure the organization is capable of responding more effectively to both the challenges facing the multilateral trading system and the opportunities provided by contemporary developments in global trade.
The Director-General said that while the ministers she met “made clear they value the system, they also admitted it cannot continue the way it is.”
“Members keep sweeping things under the carpet and not solving problems,” she said. “I think what has brought us here is the inability to solve problems when they occur, and this has led to unilateral actions, instead of a cooperative approach to solve these problems.”
“It has taken time for members to admit that things are not working as well as they should, and that they want solutions,” she continued.
The Director-General said she was pleased work is continuing on possible deliverables for MC14, including further work on fisheries subsidies, agriculture, the Investment Facilitation for Development initiative, electronic commerce, and issues pertaining to least developed countries (LDCs). Members will have a chance to assess progress on these issues at the next TNC meeting in July and decide later which packages are ready to take forward to MC14 for decision.
She welcomed the recent progress made on member acceptances of the Agreement on Fisheries Subsidies, noting that 99 members have now accepted the Agreement with only 12 more needed to bring it into force.
Twenty-six delegations took the floor after the Director-General’s intervention, some of them speaking on behalf of groups of members. Many members commented on a suggested road map for MC14 prepared by the WTO Secretariat and highlighted issues of interest, including WTO reform, new disciplines on fisheries subsidies, progress on agriculture, the e-commerce moratorium, and industrial policy, among others.
General Council Chair to initiate MC14 consultations
Under a separate agenda item, the General Council Chair, Ambassador Saqer Abdullah Almoqbel (Kingdom of Saudi Arabia), noted that discussions he had with delegations over the past weeks revealed various calls to proceed with work in three key areas, namely: WTO reform; dispute settlement reform; and the process towards preparing a possible MC14 outcome document.
With MC14 taking place in 10 months, “time is not on our side,” he told members. “Accordingly, immediately after this General Council meeting, I intend to consult interested delegations on how to take forward work in each of these areas.”
Investment facilitation for development
On the Investment Facilitation for Development (IFD) initiative, members were once again unable to reach consensus on the request supported by 126 members to incorporate the IFD Agreement under Annex 4 of the Marrakesh Agreement establishing the WTO. This marked the eighth time the proposal has been submitted to members for adoption.
Speaking on behalf of the 126 co-sponsors, the Republic of Korea underlined the urgent need for incorporating the Agreement into the WTO framework in order to help members attract investment, in particular developing and least developed country members. IFD Agreement participants are also actively engaging with non-participating members to build understanding and highlight the Agreement’s benefit, the Republic of Korea said.
Three members reiterated their objections to incorporating the IFD Agreement into the WTO multilateral framework.
Current trade tensions
On behalf of 47 members, Singapore and Switzerland introduced a statement in support of the rules-based multilateral trading system. The statement cites the value and achievements of the WTO since it was established in 1995, underlining how the organization has contributed to the economic development of both developed and developing members by promoting trade liberalization and facilitating economic integration, fostering stability, predictability and consumers’ trust while preserving incentives for innovation. The WTO’s support for developing economies, including LDCs, has lifted millions out of poverty, the co-sponsors said.
China introduced its communication regarding heightened trade turbulence and responses from the WTO. Faced with the current situation of heightened trade turbulence, China said, members should safeguard the rules-based multilateral trading system with the WTO at its core. China proposed a “Stability, Development and Reform” (SDR) approach for the WTO and said it stands ready to work with all parties to safeguard the WTO rules system and inject more certainty and predictability into the global economy.
The European Union introduced an item on fragmentation of global trade through tariffs and the global costs. The EU said the item was submitted in response to the economic and trade uncertainty created by recent tariff actions. The EU underlined its support for a rules-based multilateral trading system and highlighted the importance of ongoing dialogue on tariffs to assess impacts, monitor trade patterns, and consider systemic effects.
WTO retreat on sustainable agriculture
Brazil expressed its appreciation for the recent WTO retreat on sustainable agriculture and the broad engagement across regions and constituencies. It highlighted trends in agriculture production globally, including towards increased productivity and the search for greater resilience and sustainability. Brazil said it saw value in further discussing this topic in a forward-looking manner as a conversational WTO exercise.
Thirty-six delegations took the floor to comment.
Electronic commerce
Japan, on behalf of the co-sponsors of the Agreement on Electronic Commerce, informed members of the co-sponsors’ recent efforts to gather members’ support for incorporation of the Agreement into the WTO multilateral framework. Japan also reported that the co-sponsors are undertaking work to advance implementation of the Agreement, including a needs assessment survey to better understand priorities for implementation support.
Several members reiterated their concerns about the Agreement and their objections to its incorporation into the WTO multilateral framework.
Next meeting
The next meeting of the General Council is tentatively scheduled for 22-23 July.
116 leading UK and Irish creatives have urged Keir Starmer to act over Israel’s escalating atrocities in Gaza, criticising UK arms exports, settlement trade, and lack of ICC support – open letter
Riz Ahmed, Dame Harriet Walker, Maxine Peake, Nish Kumar, Paloma Faith and others condemn UK government inaction on Gaza
The Prime Minister must ‘stand up for justice and human rights’ and ‘words are no longer enough; we need to see action’ – Creatives
Artists gather outside Downing Street to hold placards urging the PM to act to stop the genocide and human rights abuses in Gaza
Over 100 leading voices from across the UK and Ireland’s film, television, and creative industries including Riz Ahmed, Dame Harriet Walker, Maxine Peake, Nish Kumar, Paloma Faith, Juliet Stevenson and many more have united to call on Prime Minister Keir Starmer to take urgent action in response to Israel’s escalating atrocities in Gaza and the wider Occupied Palestinian Territory (OPT).
In a public letter, the group condemn “all attacks on civilians” but emphasise that as well as Israel’s decades-long military occupation, expansion of illegal settlements, and system of apartheid, Israel is committing genocide against Palestinians in Gaza, as described by Amnesty International in its report “You feel Like You Are Subhuman”.
“We are deeply troubled by your lack of meaningful action to help deter Israel’s horrifying and calculated violations of Palestinian rights,” the letter states to the Prime Minister.
Since October 2023, more than 20,000 children have reportedly been killed in Gaza. The group point to the use of 2,000lb bombs dropped from F-35 fighter jets – supplied with UK-made components – as part of a devastating campaign that includes siege tactics blocking access to food, water, electricity, and medicine for over two million civilians.
“You know what is happening,” they write to the Prime Minister, and state “your Government is failing to fulfil its obligation to prevent the ongoing genocide in Gaza.”
The letter also highlights a stark double standard in UK policy: banning imports from Russian-occupied Crimea, while allowing trade with Israeli settlements in the illegally Occupied Palestinian Territory. The International Court of Justice has made clear that countries must not support illegal occupations – including through trade.
In addition to arms and trade, the group call on the UK government to fully support the International Criminal Court’s investigation into alleged war crimes and crimes against humanity in the region.
Their demands include:
An immediate suspension of all UK arms exports to Israel
A ban on trade with illegal Israeli settlements in the Occupied Palestinian Territory
Compliance with international legal rulings, including those of the ICJ and ICC
The group implores the Prime Minister “to stand up for justice and human rights” and that “words are no longer enough; we need to see action”.
Artists gather outside Downing Street to deliver the letter and hold placards urging the PM to act to stop Israel’s genocide and human rights abuses in Gaza.
The artists held placards bearing messages from residents of Gaza that capture the urgency and human toll of the crisis:
“I don’t want my child to die hungry”– Gaza Resident, Occupied Gaza
“You may send your child to bring water only for him to return in a body bag”– Gaza Resident, Occupied Gaza
These statements are a stark reminder of the daily reality for civilians under Israel’s illegal blockade.
About the Signatories
This statement by Amnesty International has been endorsed by a coalition of UK-based professionals across the creative industries – filmmakers, actors, writers, artists and cultural leaders – who believe in the power of art, law, and collective voice in the face of injustice.
Ahmed Masoud; Aisling Bea; Aiysha Hart; Alan Moore; Alexander McKinnon; Alexei Sayle; Alice Roberts; Alisdair Beckett; King Amrita Acharia; Andrea Arnold Anjli; Mohindra Anneika; Rose Annie Mac; Sir Anish Kapoor CBE; Anoushka Shankar; Dr Ariel Caine; Bernadette O’Brien; Bertie Carvel; President of the Bianca Jagger Human Rights Foundation; Brian Eno; Briony Hannah; Brona C Titley; Charlotte Church; Chipo Chung; David Morrissey; Deborah Frances-White; Declan McKenna; Denise Gough; Emma D’Arcy; Esther Freud; Esther Manito; Fionn O’Loinsigh; Francesca Martinez; Frankie Boyle; Frederico Gaggio; Grace Petrie; Dame Harriet Walter; Himesh Patel; Ian Rickson; Imran Yusuf; Indeyarna Donaldson-Holness; Inua Ellams MBE; Ivor Graeme; Jackie Clune; James Acaster; Jan Pearson; Janie Dee; Jason Fleming; Jay Griffiths; Jen Brister; Jessica Fostekew; Jim Loach; John Higgs; Josie Long; Jolyon Rubinstein; Juliet Stevenson CBE; Kathy Lette; Kerry Godliman; Khalid Abdalla; Ken Loach; Lise Meyer; Lolly Adefope; Louisa Young; Love Ssegga; Mae Martin; Mahtab Hussain; Manjinder Virk; Mariam Haque; Marnie Dickens; Max Porter; Maxine Peake; Dr Michael Hrebeniak; Misan Harriman; Mystery Jets; Nadia Sawalha; Nicola Thorp; Nikesh Patel; Nikesh Shukla; Nikita Gill; Nimmi Harasgama; Nish Kumar; Paapa Essiedu; Paloma Faith; Paul Laverty; Penny Woolcock; Peter Wyer; Rebecca O’Brien; Rida Hamidou; Riz Ahmed; Robin Ince; Robin Morrissey; Roger Hartley; Roisin O’Loughlin; Ruth Lass; Salena Godden; Sam Spruell; Sara Masry; Sarah Agha; Sasha Behar; Selma Dabbagh; Shazia Mirza; Simon Rix; Sonali Bhattacharyya; Stewart Lee; Steve Coogan; Susan Lynch; Suzi Ruffell; Thomas Browne; Thomas Combes; Thusitha Jayasundera; Tobias Menzies; Dame Tracey Emin; Tracey Seaward; Vijay Mistry; Vivian Munn; Young Fathers (all members); Zainab Hassan
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
ULAN BATOR, May 21 (Xinhua) — A three-day event dedicated to Chinese tea culture, titled “Yaqi Culture Salon: Tea and the World,” kicked off at the China Cultural Center in Ulan Bator on Wednesday.
The event program includes stories about tea drinking culture in China, exhibitions, and lectures on making ceramics from Yixing clay “zisha”.
Speaking at the opening of the event, Li Zhi, Counselor of the Chinese Embassy in Mongolia and Director of the Chinese Cultural Center in Ulaanbaatar, noted that tea has long embodied the wisdom and philosophy of Eastern civilization. “From the ancient Great Silk Road to the Great Tea Road, tea crossed mountains and seas and became a link in the dialogue between different civilizations,” he said.
According to Li Zhi, the event participants will be able to get acquainted with the process of making ceramics from Yixing clay “zisha” and the exquisite culture of tea drinking. The diplomat expressed hope that the event’s rich program will demonstrate to the Mongolian public the deep meaning of Chinese tea culture and allow them to understand the Eastern concept of “harmonious coexistence.”
The event “Yaqi Cultural Salon: Tea and the World”, organized by the Ministry of Culture and Tourism of the People’s Republic of China and the Chinese Embassy in Mongolia, is timed to coincide with International Tea Day, which is celebrated annually on May 21. –0–