The UK has uncovered a malicious cyber campaign by Russia’s military intelligence service targeting organizations involved in delivering foreign assistance to Ukraine. A joint investigation with allies, including the US, Germany, and France, revealed that a Russian military unit, GRU Unit 26165, also known as Fancy Bear, has been targeting public and private organizations since 2022. These organizations include those supplying defense, IT services, and logistics support.
The cyber campaign involved Russian spies using hacking techniques to gain access to networks, including internet-connected cameras at Ukrainian borders monitoring aid shipments. Approximately 10,000 cameras near military installations and rail stations were accessed to track the movement of materials into Ukraine. The hackers also utilized legitimate municipal services, such as traffic cameras.
“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organizations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, NCSC Director of Operations. “We strongly encourage organizations to familiarize themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
The Fancy Bear hacking team has previously been involved in high-profile cyber attacks, including leaking World Anti-Doping Agency data and playing a key role in the 2016 cyber-attack on the US’s Democratic National Committee. Google’s Threat Analysis Group has reported that Russian government-backed phishing campaigns targeted users in Ukraine, accounting for over 60% of Russian targeting in 2023.
The UK’s National Cyber Security Centre has urged organizations to take necessary precautions to defend their networks against this malicious campaign.