Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

A notorious Russian cyber-espionage group has been formally blamed for a cyber intrusion campaign targeting critical infrastructure, defense sectors, and logistics networks across more than a dozen countries, according to a joint cybersecurity advisory, co-authored by 21 intelligence and cybersecurity agencies from 11 countries.

The advisory attributed the widespread attacks to Russia’s military intelligence unit known as the 85th Main Special Service Center (GTsSS), Military Unit 26165, part of the GRU. The group, long tracked under codenames such as Fancy Bear, APT28, and BlueDelta, is accused of attempting break-ins at dozens of strategic targets, particularly in NATO member states, Ukraine, and international organizations.

The cyber offensive reportedly struck dozens of entities, spanning both government and private sectors, particularly within:

  • Defense Industry

  • Maritime and Aviation Transport

  • Railway Systems

  • Air Traffic Management

  • IT Services and Infrastructure

Organizations in countries such as France, Germany, Italy, Poland, Romania, Ukraine, and the United States, among others, were affected. The hackers leveraged their access to municipal traffic and private surveillance cameras, including those near military sites, rail stations, and border crossings, to monitor and track material movements into Ukraine.

While no successful breaches of industrial control systems were confirmed, the advisory noted that the group had conducted reconnaissance on entities involved in the production of railway management systems.

The techniques used in the campaign included:

  • Credential guessing and brute-force attacks

  • Spear-phishing for credentials and malware delivery

  • Exploitation of Microsoft Outlook (CVE-2023-23397)

  • Exploitation of Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)

  • Abuse of corporate VPNs and Internet-facing systems via known vulnerabilities

  • SQL injection attacks

  • Exploitation of WinRAR (CVE-2023-38831)

Hackers also hijacked small office/home office (SOHO) routers and devices located near targeted sites to obfuscate their activity and proxy malicious traffic, increasing the campaign's stealth and persistence.


Back to the list

Latest Posts

Cyber Security Week in Review: June 13, 2025

Cyber Security Week in Review: June 13, 2025

In brief: Microsoft fixes zero-day exploited by the Stealth Falcon APT, the Graphite spyware targets journalists via an iMessage exploit, and more.
13 June 2025
Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025