Organizations from 13 countries are targeted, including those in the US, Germany and France.
The campaign, which began in 2022, is being carried out by the military department within the Russian General Staff Main Intelligence Director (GRU), known for the cybersecurity community by various names such as APT28, Fancy Bear, Forest Blizzard, and Blue Delta.
Government and commercial agencies are being targeted in campaigns. The affected sectors include transport hubs such as defense industry, IT services, air traffic management, maritime agencies, and airports and transport ports.
The entities targeted by 26165 units were in 13 countries. Ukraine, USA, Bulgaria, Czech Republic, France, Germany, Greece, Italy, Moldova, Netherlands, Poland, Romania, Slovakia.
Unit 26165 was able to access systems from multiple organizations. According to the advisory, threat actors have asked for access to accounts that retain sensitive information about shipping, such as manifesto and train schedules, after entering the target system.
The account contained details regarding the transport of aid freight to Ukraine, including sender, recipient, cargo content, travel routes, destinations and container registration numbers.
Related Stories
Unit 26165 also likely accessed target private cameras at major locations, such as military facilities, border intersections and the Railway Bureau, the advisory added that threat actors hacked the Municipal Services Portal to access traffic cams.
Over 80% of the target cameras were in Ukraine, with the remaining cameras in Romania, Poland, Hungary, Slovakia and elsewhere.
“Executives and network defenders of logistics entities and technology companies should be aware of the rising threat of units with 26165 targeting,” the advisory said, pursuing targeting, calling for more surveillance and prepared network defenses.
The joint advisory was issued by 21 world organisations from several countries, including the US, France, the UK and Germany.
“We strongly encourage organizations to become accustomed to the threat and mitigation advice contained in their advisories to protect their networks.”
“For several years, GRU has been implementing a cyber-aggressive tactic called APT28 against France. It has targeted around ten French entities since 2021,” French Foreign Minister Jean-Noel Barrot wrote on social media platform X on April 30.
Russian Cyber Threat
Russia has demonstrated “real world destructive capabilities” on the cyber front over the past decade, according to the annual threat assessment report issued by the Director of National Intelligence in March 2025.
This includes experience of merciless targeting attacks using malware to execute Ukrainian networks.
Russia has “repeated success in compromising on sensitive targets of intelligence collections,” the report states.
The country’s sophisticated cyber capabilities and past attempts to pre-locate to access critical US infrastructure “will pose a threat of persistent anti-intelligence and cyberattacks.”
“Moscow’s unique strength is its work experience in integrating cyberattacks and operations with wartime military operations, which almost certainly amplifies the possibility that it focused on US targets at the time of the conflict.”
Over the past year, Washington has taken several actions as part of its crackdown on Russian cyber threats.
The domain was used by hackers working for Callisto Group, the operational division of the Russian Federation Security Agency, which is the successor to the KGB.
