The UK government announced sanctions against three Russian military intelligence units, 18 of their members, and other individuals involved in malicious cyber operations and assassination attempts.
The sanctions target Russian General Staff Main Intelligence Directorate (GRU) Units 29155, 26165, and 74455, which have been linked to numerous cyberattacks against Ukraine, NATO allies, European Union member states, and US targets.
Unit 29155, also known as Cadet Blizzard, Bleeding Bear, Ember Bear, DEV-0586, Frozenvista, and UNC2589, has been carrying out destructive attacks, such as WhisperGate, which involved a wiper malware used against Ukraine in February 2022, in coordination with Russia’s assault on the country.
The APT, the UK says, was also involved in a 2014 explosion at an ammunition warehouse in Vrbétice, Czechia, in the 2018 attempted assassination of Yulia and Sergei Skripal in Salisbury, UK, and the hacking of the Estonian government in 2020.
In September 2024, the US and its allies issued a joint advisory on the aggressive cyber campaigns carried out by Unit 29155, noting it has been engaging in offensive cyber operations since at least 2020.
Unit 26165, also known as APT28, Fancy Bear, Forest Blizzard, Pawn Storm, Sednit, and Sofacy Group, is known for numerous high-profile cyberattacks conducted in support of Russia’s foreign policy and military objectives, the UK says.
The APT has been blamed for targeting TV5 Monde, the German government, the US Democratic Party, the French Presidential elections, the 2024 Paris Olympic and Paralympic Games, and various Ukrainian targets.
According to the UK, Unit 26165 also hacked IP cameras in numerous European countries to track and interfere with foreign assistance to Ukraine, and attempted to disrupt the investigations into the Skripals’ attempted murder.
This year, the APT conducted reconnaissance on Ukrainian civilian bomb shelters, prior to Russian bombing of the Mariupol Theatre, which resulted in large-scale civilian deaths and casualties, the UK says.
The UK has called out Sergey Morgachev, Aleksey Lukashev, Ivan Yermakov, Sergey Vasyuk, and Artem Malyshev for their involvement in the development of Unit 26165’s X-Agent malware, and Aleksey Morenets, Yevgeniy Serebriakov, Oleg Sotnikov, and Aleksey Minin for conducting close access operations against organizations associated with controlling the use of chemical weapons.
Unit 74455, also tracked as APT44, Blue Echidna, Electrum, Iridium, Seashell Blizzard, Sandworm, TeleBots, and Voodoo Bear, is one of Russia’s most well-known APTs, linked to numerous espionage, disruption, and disinformation campaigns, including the BlackEnergy and Industroyer attacks.
The threat actor has targeted critical infrastructure, ICS systems, Ukrainian military and governmental entities, Ukrainian mobile network operator Kyivstar, and various other entities, the UK says. It also conducted numerous cyber operations in collaboration with APT28.
The UK also sanctioned Victor Lukovenko, Artyom Kureyev, and Anna Zamareyeva, for their roles in African Initiative, a Russian news agency that employs intelligence officers, receives government funding, and engages in influence operations.
“African Initiative develops and distributes content which undermines Ukraine’s Armed Forces and has organized a press tour to Mariupol, illegally occupied by Russia, for a delegation of bloggers and journalists,” the UK says.
Additionally, the UK called out and sanctioned Dmitriy Mikhaylov, Sergey Morgachev, Viktor Netyksho, and Yuriy Shikolenko, believed to be part of the GRU leadership.
Along with the sanctions, the UK also attributed a new malware family to APT28. Dubbed Authentic Antics (PDF), the malware was “specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity”.
The threat periodically displays a login window to harvest user credentials and steals victims’ data via email, the UK’s National Cyber Security Centre (NCSC) said.
Related: Destructive ‘PathWiper’ Targeting Ukraine’s Critical Infrastructure
Related: Europol-Coordinated Global Operation Takes Down Pro-Russian Cybercrime Network
Related: Russian APT Hits Ukrainian Government With New Malware via Signal
