Russian Military Intelligence Unit 26165, operating under the code name Fancy Bear, has launched a sophisticated two-year cyber espionage campaign targeting Western nations providing military assistance to Ukraine. The unit, also referred to as Advanced Persistent Threat 28 or Forest Blizzard, functions as part of Russia’s GRU military intelligence agency and has conducted extensive operations since Russia’s full-scale invasion began in February 2022.
Russian GRU’s Fancy Bear unit has conducted extensive cyber espionage operations against Western nations supporting Ukraine since February 2022.
Eleven Western countries, including the United States, United Kingdom, Germany, Australia, and Canada, jointly released a statement addressing the Russian cyber campaign in May 2025. The coordinated response involved multiple U.S. agencies, including the NSA, FBI, and U.S. Cyber Command, highlighting the campaign’s considerable threat level.
The hackers particularly target organizations in NATO member states and allied countries, focusing on defense industry companies, transportation firms, and information technology providers supporting Ukraine assistance efforts.
Russian operatives have targeted over 10,000 internet-connected cameras positioned near strategic transit points, ports, airports, and railway systems throughout Eastern and Central Europe.
Unit 26165 employs sophisticated tactics, techniques, and procedures, utilizing targeted phishing emails and credential theft to gain unauthorized access to critical systems. The hackers have also exploited vulnerabilities in remote access devices commonly found in small office and home office networks that lack enterprise-level security protections. The hackers also infiltrate networks through credential guessing attacks that systematically attempt to breach system security. The campaign expanded notably as Russian military objectives faltered and Western aid to Ukraine increased, with hackers conducting surveillance operations designed to gather intelligence on aid shipment types, quantities, and timing.
The primary strategic objective involves slowing or disrupting foreign assistance flows to Ukraine through thorough intelligence gathering on transportation routes and logistics networks. Russian operatives monitor border crossings, rail hubs, and other critical infrastructure points to hamper Western support vital to Ukraine’s territorial defense efforts.
The NSA warns that Russia will likely continue surveillance and cyber espionage efforts as the conflict persists. The joint cybersecurity advisory underlines the ongoing nature of the threat, noting that the campaign has operated continuously for more than two years.
Defense industry companies, logistics firms, and technology providers remain primary targets as Russia seeks to undermine Western military assistance through digital warfare tactics that complement its broader military objectives in the Ukraine conflict.
