The United Kingdom (U.K.) and several Western nations have formally accused a Russian military intelligence unit of carrying out a sustained cyber-espionage campaign aimed at disrupting the delivery of foreign aid to Ukraine.
In a new advisory, the U.K.’s National Cyber Security Centre, alongside cybersecurity agencies from 10 countries, including the United States, Germany, France, Canada, Australia, Poland, the Czech Republic, Denmark, Estonia, and the Netherlands, identified Russia’s GRU Unit 26165, also known as Fancy Bear, as responsible for malicious cyber activity targeting public and private organizations involved in the delivery of foreign aid to Ukraine since 2022.
According to the advisory, the campaign has specifically targeted defense contractors, logistics companies, IT service providers, and organizations in countries including Bulgaria, France, Germany, Greece, Italy, Moldova, Poland, Romania, Slovakia, the United States, and Ukraine.
The 11 countries that signed the advisory accused GRU Unit 26165 of sending phishing emails containing explicit content and fake professional information, as well as using stolen account credentials to gain access to systems.
They also accuse the unit of conducting surveillance, with authorities estimating that approximately 10,000 internet-connected cameras were accessed by the hackers. Of these, 80% were located in Ukraine, 10% in Romania, 4% in Poland, 2.8% in Hungary, and 1.7% in Slovakia.
Paul Chichester, Director of Operations at the U.K.’s cyber agency, described the campaign as a serious threat to entities involved in supporting Ukraine. He encouraged all organizations in affected sectors to review their cybersecurity protocols and follow the mitigation advice outlined in the advisory.
John Hultquist, chief analyst at Google’s Threat Intelligence Group, said the attacks could be intended not just for surveillance but potentially to set up further disruption. He noted that identifying and tracking Western aid flows may serve a strategic interest in either sabotaging those efforts or preparing for physical attacks.
In addition to the latest allegations, GRU Unit 26165 has been linked to the 2016 breach of the Democratic National Committee in the United States and the 2015 hack of the German Bundestag.
The unit has also been accused of targeting President Emmanuel Macron’s 2017 election campaign in France and infiltrating the emails of Germany’s Social Democratic Party in recent years.
