The campaign, which began in 2022, is being carried out by a military unit within the Russian General Staff Main Intelligence Directorate (GRU) called Unit 26165, which is known in the cybersecurity community under various names such as APT28, Fancy Bear, Forest Blizzard, and BlueDelta.
Government organizations and commercial entities have been targeted in the campaign. Affected sectors include the defense industry, IT services, air traffic management, maritime entities, and transportation hubs such as airports and shipping ports.
The entities targeted by unit 26165 were located in 13 nations—Ukraine, the United States, Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, and Slovakia.
Unit 26165 has been able to gain access to systems of multiple organizations. After gaining entry into a target’s systems, the threat actor sought access to accounts holding sensitive information regarding shipments such as manifests and train schedules, according to the advisory.
The accounts contained details on aid shipments to Ukraine, including sender, recipient, cargo contents, travel route, destination, and container registration numbers.
Unit 26165 also likely gained access to private cameras of targets at key locations, including military installations, border crossings, and rail stations, the advisory stated, adding that the threat actor hacked municipal service portals to access traffic cams.
Over 80 percent of targeted cameras were located in Ukraine, with the remaining cameras in Romania, Poland, Hungary, Slovakia, and other places.
“Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting,” the advisory said, asking them to increase monitoring and prepare their network defenses, assuming that they would be targeted.
The joint advisory was issued by 21 global agencies from multiple nations, including the United States, France, the United Kingdom, and Germany.
“We strongly encourage organizations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks.”
The GRU “has been deploying a cyber-offensive modus operandi called APT28 against France for several years. It has targeted around 10 French entities since 2021,” Jean-Noel Barrot, the French foreign minister, wrote on the social media platform X on April 30.
Russian Cyber Threat
According to the March 2025 Annual Threat Assessment report issued by the Office of the Director of National Intelligence, Russia has demonstrated “real-world disruptive capabilities” on the cyber front over the last decade.This includes gaining experience in attack execution through relentless targeting of Ukraine’s networks with malware.
Russia has had “repeated success compromising sensitive targets for intelligence collection,” the report said.
The country’s advanced cyber capabilities and past attempts at pre-positioning itself to access critical U.S. infrastructure “make it a persistent counterintelligence and cyber attack threat.”
“Moscow’s unique strength is the practical experience it has gained integrating cyber attacks and operations with wartime military action, almost certainly amplifying its potential to focus combined impact on U.S. targets in time of conflict.”
Over the past year, Washington has taken several actions as part of its crackdown against Russian cyber threats.
The domains were used by hackers working for the Callisto Group, an operational unit of the Russian Federal Security Service, the successor of the KGB.
