A notorious Russian military unit has carried out cyber-attacks on Ukrainian allies around the world designed to disrupt aid efforts, according to a joint defence briefing by Western intelligence agencies.
They said attacks both before and after the full-scale invasion in February 2022 were carried out by the same group believed to be behind the poisonings of a former Russian double agent and his daughter in Salisbury in 2018.
Unit 29155, which has been linked to high-profile espionage and sabotage campaigns in recent years, expanded into cyber operations in 2020, agencies in the UK, US and several other countries said in a joint statement.
The intervention comes as European governments seek to counter what they say is increased Russian espionage in the wake of the Ukraine war.
A spike in cyber-attacks on Ukraine ahead of the February 2022 invasion had previously been widely reported.
But an expert told the BBC the joint warning issued this this week suggested a broader range of activity than previously disclosed took place against several European countries.
“The focus at the time was all to do with what they were trying to do to Ukraine,” said Keir Giles, an expert on Russian cyber activities at the UK-based Chatham House think tank.
“What these latest announcements made clear is that the targets were much broader than that, and they’re talking about a range of different government and civilian agencies, civil society agencies across Western Europe and across the EU and Nato.”
Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration.
Western intelligence agencies said the attacks were carried out by a division within Unit 29155. The cyber team has used names including Cadet Blizzard and Ember Bear, they said.
It said the hackers were “responsible for the WhisperGate campaign”, a coordinated attack on Ukrainian government agencies in January 2022, and has since been focussed on attempts to “scout and disrupt” aid deliveries to Kyiv.
Critical infrastructure, government agencies and private companies involved in finance, transport, energy and health have all been targeted across a number of EU and Nato member states, as well as in Asia and Latin America, it claimed.
Mr Giles said the activities referred to in the note appear to relate to 2022, but added: “People need to be aware that this stuff is ongoing and that Russia is attacking us.”
He continued: “What’s particularly pronounced at the moment about Russia’s cyber activities is the way they look like preparation for an overt attack on Nato, particularly with the reconnaissance and preparation for sabotage of logistics links, rail networks and so on across Europe.”