Analysis

A coordinated advisory from UK intelligence services and allied nations, including the US, France, and Germany, has accused Russia's GRU Unit 26165, also known as APT 28 or Fancy Bear, of conducting an extensive cyber-espionage campaign targeting the flow of Western aid to Ukraine since 2022. The unit allegedly employed multifaceted tactics, including hacking approximately 10,000 security cameras—80% in Ukraine, 10% in Romania, and smaller percentages in Poland, Hungary, and Slovakia—primarily at border crossings, railway stations, and near military installations to monitor material movements. Beyond camera access, which provided 'snapshot' images and utilized legitimate municipal services like traffic cams, the GRU unit is accused of sending spearphishing emails with diverse subjects, including pornography and fake professional information, often from compromised or free webmail accounts in the target's native language, and attempting voice phishing by impersonating IT staff to obtain privileged account access. The objective was reportedly to gather sensitive information on shipments, such as train schedules and shipping manifests, and to disrupt aid delivery. The UK's National Cyber Security Centre (NCSC) has urged private companies involved in aid logistics to take immediate protective measures, including increased monitoring, multi-factor authentication, and prompt security updates, highlighting a serious ongoing risk from this historically active Russian military intelligence unit, previously implicated in the World Anti-Doping Agency leak and the 2016 Democratic National Committee cyber-attack.