A sophisticated cyber campaign attributed to a Russian military intelligence unit has targeted Western logistics and technology companies involved in delivering aid to Ukraine, the U.S. National Security Agency (NSA) revealed this week.
The hacking effort, linked to GRU unit 26165 — more widely known as “Fancy Bear” — reportedly aimed to collect sensitive information on the types and timing of military and humanitarian assistance bound for Ukraine. The NSA, in a report released late Wednesday, said the operation also focused on ports, railways, and airports critical to the transit of support materials.
According to the agency, the campaign began shortly after Russia’s full-scale invasion of Ukraine in 2022 and has continued into recent months. It involved spearphishing attacks, in which hackers sent deceptive emails to trick recipients into disclosing confidential information or downloading malicious software. The group also exploited vulnerabilities in remote access tools often used in small or home office networks, which typically lack the protections found in larger corporate systems.
The NSA said the campaign stretched across multiple Western nations, including the United States, and targeted companies in the defense, transport, and logistics sectors. A significant aspect of the operation included attempts to access footage from more than 10,000 internet-connected cameras — many located in Ukraine and others positioned near strategic points in Poland, Romania, and other neighboring countries.
“These efforts are part of a broader Russian intelligence operation designed to track and potentially disrupt the movement of aid to Ukraine,” said the NSA in its advisory, issued jointly with the FBI and cybersecurity agencies from allied countries. “At-risk entities should anticipate targeting and take immediate action to secure systems.”
Grant Geyer, chief strategy officer at cybersecurity firm Claroty, described the hackers’ tactics as methodical rather than innovative. “They are systematically mapping the supply chain — understanding what’s moving, when, and by what means — whether by air, sea, or rail,” he said. He warned that the intelligence gathered could be used to plan future cyber or even physical attacks on infrastructure supporting Ukraine.
While the NSA did not specify the level of success achieved by the attackers, officials emphasized the need for heightened cyber vigilance. The latest alert follows previous warnings issued last autumn urging U.S. defense and logistics firms to reinforce digital defenses amid growing concerns over Russian cyber activity.
Fancy Bear, long identified as one of the Kremlin’s primary cyber-espionage tools, has previously been implicated in cyberattacks on Ukraine, NATO members, and international journalists. The current campaign underscores the group’s persistent efforts to undermine Ukraine’s support networks and gather battlefield intelligence.
