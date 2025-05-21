As Russia continues its relentless assaults on Ukraine despite in defiance of continuing efforts to work towards a peace deal, multiple western security agencies have issued a new advisory warning of a Moscow-backed campaign of cyber intrusions targeting logistics and technology organisations in the west.

The campaign, run through Unit 26165 of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), better known as Fancy Bear, includes credential guessing, spear-phishing attacks, exploitation Microsoft Exchange and Roundcube vulnerabilities, and flaws in public-facing infrastructure including VPNs.

The campaign likely dates back to the early days of the war in February 2022 – at which point Fancy Bear was more heavily involved in cyber operations for purposes of espionage. However, as Russia failed to achieve its military objectives as quickly as it had wanted, the group expanded its targeting to include entities involved in the delivery of support and aid to Ukraine’s defence. Over the past three years its victims have included organisations involved in air traffic control, airports, defence, IT services, maritime and port systems sectors across various Nato countries.

The advanced persistent threat (APT) actor is also understood to be targeting internet-connected cameras at Ukraine’s border crossings and around its military bases. These intrusions mostly took place in Ukraine but have also been observed in neighbouring states including Hungary, Poland, Romania and Slovakia.

The GCHQ-run National Cyber Security Centre (NCSC) urged UK organisations to familiarise themselves with Unit 26165’s tactics and take action to safeguard themselves.

“This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine,” said Paul Chichester, NCSC Director of Operations.

“The UK and partners are committed to raising awareness of the tactics being deployed. We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”

The NCSC’s latest warning comes a couple of weeks after the cyber body’s CEO, Richard Horne, talked of a “direct connection” between Russian cyber attacks and physical threats to the UK at its annual conference.

Horne told an audience at the CyberUK event that Russia was focusing on acts of sabotage, often involving criminal proxies. He said these threats, which are thought to have included arson attacks, are now manifesting on the streets of the UK, “putting lives, critical services and national security” at risk.

The NCSC said Britain’s support for Ukraine remained “steadfast”. Having already committed £13bn in military aid, the UK this week announced 100 new sanctions on Russia targeting entities and organisations involved in its energy, financial and military systems.

This comes in the wake of the largest drone attack on Ukraine staged so far during the three-year war, which Russian dictator Vladimir Putin launched mere hours before a scheduled call with US president Donald Trump.

The full advisory – which can be read here – sets out Fancy Bear’s tactics, techniques and procedures (TTPs) in its latest campaign in accordance with the Mitre ATT&CK framework, and also details a number of the common vulnerabilities and exposures (CVEs) being used to attain initial access.

Besides the UK and US, the advisory is cosigned by cyber and national security agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands and Poland.