Russia’s сyber spies breach European and US defence networks to track Ukraine aid

The UK’s National Cyber Security Centre (NCSC), working alongside key allies including the United States, Germany, and France, has exposed a prolonged and malicious Russian cyber espionage campaign aimed at a wide range of organisations involved in supporting Ukraine.

Since 2022, Russia’s military intelligence unit known as GRU Unit 26165—commonly referred to by its informal name, Fancy Bear—has been targeting both public and private sectors, focusing particularly on groups supplying defence materials, IT services, and logistical support. The operation has spanned 12 mainland European countries, the US, and Australia.

According to a joint investigation by the security services of ten NATO nations and Australia, cited by British media, the Russian operatives employed a variety of hacking techniques to infiltrate networks. These methods included password guessing, spearphishing—where attackers send highly targeted fake emails designed to trick individuals into divulging login details or downloading malware—and exploitation of a vulnerability in Microsoft Outlook that allowed hackers to capture credentials through specially crafted calendar invitations.

The spearphishing emails used in the campaign varied widely in theme, ranging from professional subjects to adult content, demonstrating the attackers’ tactical adaptability to entice victims.

A striking aspect of the campaign involved accessing nearly 10,000 internet-connected cameras located near Ukrainian borders, military bases, rail stations, and other critical points. These cameras, some belonging to municipal services like traffic control, provided Russian intelligence with real-time visual tracking of aid shipments entering Ukraine. This information is believed to assist in mapping the flow, timing, and volume of supplies, thereby enhancing Russia’s ability to target these resources with kinetic military strikes.

Fancy Bear, infamous for previous cyberattacks such as the 2016 breach of the US Democratic National Committee and leaking World Anti-Doping Agency data, has demonstrated a persistent and evolving threat profile over more than a decade.

Paul Chichester, Director of Operations at the NCSC, described the campaign as a significant risk to organisations involved in Ukraine support efforts. He urged all relevant groups to familiarise themselves with the detailed threat advisory issued and to adopt recommended security measures to safeguard their networks.

John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, stressed that anyone engaged in transporting goods to Ukraine should consider themselves a prime target for Russian military intelligence. He warned that beyond intelligence gathering, there is a clear intent to disrupt support operations, whether through cyberattacks or physical actions. Hultquist suggested these intrusions could signal preparation for more serious future attacks.

The joint advisory also highlighted Fancy Bear’s interest in critical infrastructure sectors such as ports, airports, air traffic management, and the defence industry. The hackers’ ability to penetrate such networks poses risks not only of espionage but also of potential disruption of essential services.

Cybersecurity expert Rafe Pilling from Sophos noted that camera access provides Russia with crucial insights into logistical movements, which can aid in the precise targeting of weapons. Similarly, Dragos, a security firm monitoring related hacking activities, emphasised that these cyber intrusions aim to infiltrate industrial control systems—vital components that govern critical infrastructure operations. Robert M. Lee, Dragos' CEO, warned that beyond intellectual property theft and espionage, these intrusions position the attackers to launch potentially disruptive or destructive cyberattacks.

By Tamilla Hasanova