The UK government has accused a Russian military intelligence unit of orchestrating a widespread cyber espionage campaign targeting organisations involved in supporting Ukraine, including logistics and defence firms.
Following a joint investigation with international allies — including the United States, Germany, France, and security agencies from 10 NATO nations and Australia — the UK’s National Cyber Security Centre (NCSC) revealed on Tuesday that the hacking operation has been ongoing since 2022. The campaign is attributed to GRU Unit 26165, also known by the alias “Fancy Bear,” a well-known Russian cyber group linked to high-profile attacks in the past, including the 2016 breach of the US Democratic National Committee.
According to the NCSC, the campaign targeted both public and private sector organisations providing aid, IT services, and defence logistics to Ukraine. Among the most concerning breaches was the infiltration of approximately 10,000 internet-connected cameras, including border surveillance systems monitoring aid shipments into Ukraine.
“These actors even exploited legitimate municipal services, like traffic cameras, to track aid movements,” said the joint advisory. The cameras were often positioned near military installations and rail stations, enabling hackers to monitor the transport of supplies — potentially aiding Russian military planning and targeting.
Paul Chichester, Director of Operations at the NCSC, called the campaign a “serious risk” to the international community’s support for Ukraine. “We strongly encourage all organisations to review the threat intelligence and mitigation steps in the advisory to safeguard their networks,” he said.
The advisory also detailed various tactics employed by the hackers, including password-guessing attacks, spearphishing emails, and the exploitation of vulnerabilities in Microsoft Outlook. In some cases, attackers sent fake calendar invites designed to steal login credentials.
Spearphishing emails reportedly covered a broad range of subjects, from professional topics to adult content, all aimed at deceiving recipients into revealing sensitive information or installing malware.
Rafe Pilling, Director of Threat Intelligence at cybersecurity firm Sophos, said the hacking group’s techniques have been used “for over a decade” and are consistent with its historical playbook. “Gaining access to surveillance cameras allows for real-time intelligence gathering on the movement of materials and could potentially inform physical attacks,” he added.
The report underscores growing concerns about cyber warfare and its intersection with geopolitical conflicts, particularly as Western nations continue to support Ukraine in its war against Russia.
