Joint Cybersecurity Advisory on Malicious Cyber Activities of the Russian GRU Unit 26165
21.05.2025
Together with international partners, the Federal Intelligence Service (BND), the Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV) released a Joint Cybersecurity Advisory (JCSA) to highlight a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination and implementation of foreign assistance to Ukraine.
For over two years, the Russian General Staff Main Intelligence Directorate (GRU) military unit 26165 – affiliated with the threat actor APT28, also known as Fancy Bear, Sofacy, Forest Blizzard and a variety of other names – has conducted this campaign using a mix of known tactics, techniques and procedures (TTPs), including reconstituted password spraying capabilities, spear phishing and modification of Microsoft Exchange mailbox permissions.
As Russia failed to meet its military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted IP cameras at Ukrainian border crossings in an effort to monitor and track aid shipments, thereby possibly trying to enable acts of sabotage and kinetic military attacks.
Recent incidents in several European countries in summer 2024 with fires caused by incendiary devices hidden inside parcels – attributed by European security agencies to Russia’s GRU – demonstrate how real and immediate the threat of Russian acts of sabotage is for Western logistics and security.
The published JCSA provides TTPs associated with unit 26165 cyber actors as well as further analysis of used malware to enable defensive measures against potential attacks and to mitigate possible damages.
BfV and international partners remain committed to protecting freedom and democracy from foreign interference, cyberattacks and malicious actors. The BfV has installed a hotline, where individuals can confidentially report threats from foreign intelligence services or any espionage activities they have witnessed. Appeals in English and Russian as well as other languages are available on the BfV website.