Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

A notorious Russian cyber-espionage group has been formally blamed for a cyber intrusion campaign targeting critical infrastructure, defense sectors, and logistics networks across more than a dozen countries, according to a joint cybersecurity advisory, co-authored by 21 intelligence and cybersecurity agencies from 11 countries.

The advisory attributed the widespread attacks to Russia’s military intelligence unit known as the 85th Main Special Service Center (GTsSS), Military Unit 26165, part of the GRU. The group, long tracked under codenames such as Fancy Bear, APT28, and BlueDelta, is accused of attempting break-ins at dozens of strategic targets, particularly in NATO member states, Ukraine, and international organizations.

The cyber offensive reportedly struck dozens of entities, spanning both government and private sectors, particularly within:

  • Defense Industry

  • Maritime and Aviation Transport

  • Railway Systems

  • Air Traffic Management

  • IT Services and Infrastructure

Organizations in countries such as France, Germany, Italy, Poland, Romania, Ukraine, and the United States, among others, were affected. The hackers leveraged their access to municipal traffic and private surveillance cameras, including those near military sites, rail stations, and border crossings, to monitor and track material movements into Ukraine.

While no successful breaches of industrial control systems were confirmed, the advisory noted that the group had conducted reconnaissance on entities involved in the production of railway management systems.

The techniques used in the campaign included:

  • Credential guessing and brute-force attacks

  • Spear-phishing for credentials and malware delivery

  • Exploitation of Microsoft Outlook (CVE-2023-23397)

  • Exploitation of Roundcube webmail flaws (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026)

  • Abuse of corporate VPNs and Internet-facing systems via known vulnerabilities

  • SQL injection attacks

  • Exploitation of WinRAR (CVE-2023-38831)

Hackers also hijacked small office/home office (SOHO) routers and devices located near targeted sites to obfuscate their activity and proxy malicious traffic, increasing the campaign's stealth and persistence.


Back to the list

Latest Posts

Hacker plants data-wiping code in Amazon’s AI coding extension

Hacker plants data-wiping code in Amazon’s AI coding extension

Amazon says that the malicious code was distributed with the extension but was unsuccessful in executing due to a syntax error.
28 July 2025
Cyberattack forces Russian airline Aeroflot to cancel dozens of flights

Cyberattack forces Russian airline Aeroflot to cancel dozens of flights

The Silent Crow hacking group claimed to have spent a year infiltrating Aeroflot’s networks, allegedly destroying 7,000 servers.
28 July 2025
Scattered Spider targets VMware ESXi in attacks on US critical sectors

Scattered Spider targets VMware ESXi in attacks on US critical sectors

Scattered Spider employs social engineering tactics to gain initial access.
28 July 2025
Popular Posts
Featured vulnerabilities
Authenticated file inclusion in ServiceDesk Plus MSP and SupportCenter Plus
Medium Patched | 28 Jul, 2025
Multiple vulnerabilities in SolarWinds Platform
Medium Patched | 28 Jul, 2025
Interpretation Conflict in IBM Tivoli System Automation Application Manager
Medium Patched | 28 Jul, 2025
Cross-site scripting in Cookies Addons module for Drupal
Low Patched | 28 Jul, 2025
IBM watsonx.data update for pip
Medium Patched | 28 Jul, 2025