Russian military hackers 'Fancy Bear' target Western aid supply chains to Ukraine, NSA report says
The hacking effort, attributed to the group Fancy Bear, used tactics such as spearphishing and exploiting weak security in small office networks.
Hackers linked to Russian military intelligence have targeted Western logistics and technology firms involved in transporting aid to Ukraine, the US National Security Agency (NSA) said.
The cyber operation, attributed to the notorious Russian military intelligence agency GRU unit 26165, better known as Fancy Bear, sought to gather information on the types and timing of assistance entering Ukraine.
According to the NSA's report published late Wednesday, the campaign aimed to breach companies in the defence, transport and logistics sectors across multiple Western countries, including the US. It also targeted ports, airports and railway infrastructure.
As part of the operation, hackers attempted to access footage from more than 10,000 internet-connected cameras — both private and public — situated near strategic transit points such as border crossings, ports and rail hubs.
While the majority of these cameras were located in Ukraine, others were based in neighbouring countries including Poland, Romania and elsewhere in eastern and central Europe.
The cyber attacks reportedly began in 2022, when Russia launched its full-scale invasion of Ukraine. Authorities have not disclosed how successful the hackers were or how long they remained undetected.
The NSA, along with the FBI and cybersecurity agencies from allied nations, warned that Russia is likely to continue its surveillance efforts and advised companies involved in support delivery to remain vigilant.
“To defend against and mitigate these threats, at-risk entities should anticipate targeting,” the NSA said in the advisory.
The hackers employed spearphishing tactics — sending deceptive, official-looking messages designed to extract sensitive information or install malware — as well as exploiting vulnerabilities in remote access devices typically used in small or home office networks, which often lack enterprise-level protection.
Grant Geyer, chief strategy officer at cybersecurity firm Claroty, said the hackers’ methods were not especially sophisticated but were methodically executed.
“They have done detailed targeting across the entire supply chain to understand what equipment is moving, when and how — whether it’s by aircraft, ship or rail,” he noted.
Geyer warned that the intelligence gathered could help Russia refine its military strategy or potentially plan future cyber or physical disruptions to Ukraine's aid routes.
In a related move last autumn, US intelligence agencies issued guidance urging US defence contractors and logistics firms to bolster their cybersecurity, following a series of suspected Russian-linked sabotage incidents in Europe.
Evidence gathered by Western countries over the years has shown that Fancy Bear has been behind a slew of attacks on Ukraine, Georgia and NATO, as well as political enemies of the Kremlin, international journalists and others.
Brazil dismantles Russian 'spy factory' in major counterintelligence operation, NYT reports
Brazilian federal agents have exposed a sophisticated Russian intelligence operation that used the South American country as an "assembly line for deep-cover operatives,” according to a report by The New York Times.
The operation unmasked at least nine officers who lived for years under false identities before deploying to targets across the West.
The three-year counterintelligence investigation, dubbed Operation East, represents what independent Russian news outlet Agentstvo described as "one of the biggest failures of the Russian intelligence services," comparable to the exposure of 11 spies in the US 15 years ago.
Russian operatives shed their true identities to become Brazilian citizens, starting businesses, forming relationships and building authentic cover stories over many years.
Rather than spying on Brazil itself, the goal was to acquire credible Brazilian identities before deploying to the US, Europe or the Middle East for actual intelligence work.
CIA tip sparks investigation
The unravelling began in April 2022, weeks after Russia's full-scale invasion of Ukraine, when the CIA alerted Brazil's Federal Police to Victor Muller Ferreira – real name Sergey Cherkasov – who had secured an internship with the International Criminal Court in The Hague as it prepared to investigate Russian war crimes.
Cherkasov, whose story was first exposed by investigative outlet Bellingcat in June 2022, was admitted to Johns Hopkins University's graduate school in Washington in 2018 after a stint at Dublin's Trinity College. He had spent nearly a decade building his false identity. During one of his trips, Dutch authorities denied him entry and returned him to São Paulo, where Brazilian agents arrested him on document fraud charges.
His Brazilian passport and identification documents initially appeared authentic, but investigation of his birth certificate revealed fatal flaws.
The document stated he was born in Rio de Janeiro in 1989 to a Brazilian mother who died in 1993, but agents discovered the woman never had a child and couldn't locate anyone matching the father's name.
"Everything started with Sergey," a senior Brazilian official told The New York Times.
Russian authorities later unsuccessfully attempted to "rescue" Cherkasov by issuing an international arrest warrant, claiming that he "was part of a crime group that smuggled drugs from Afghanistan via Tajikistan and sold them to gangs in Russia between 2011 and 2013," according to Bellingcat.
Sophisticated identity creation
The discovery prompted agents to search for "ghosts" – people with legitimate birth certificates who appeared suddenly as adults without prior records in Brazil. The painstaking analysis of millions of identity documents revealed the scope of the Russian operation.
Brazil proved an ideal location for the scheme. The Brazilian passport ranks among the world's most useful, allowing visa-free travel to nearly as many countries as US documents.
The country's multicultural population makes European-featured individuals with slight accents unremarkable.
Yet Brazil's decentralised birth certificate system contains a crucial vulnerability – authorities will issue certificates to anyone declaring a baby was born to at least one Brazilian parent in rural areas, requiring only two witnesses.
One exposed operative, Artem Shmyrev, lived as Gerhard Daniel Campos Wittich, running a successful 3D printing business in Rio de Janeiro. He spoke perfect Portuguese with an accent he attributed to childhood in Austria, fooling his Brazilian girlfriend and colleagues completely.
"He was a work addict," said Felipe Martinez, a former client who befriended the spy, as quoted by The New York Times. "He thought big, you know?"
However, Shmyrev privately expressed frustration with undercover life in text messages to his Russian intelligence officer wife.
"No real achievements in work. I am not where I have to be for two years already," he wrote.
Global network exposed
The investigation identified spies across multiple countries. A married couple lived in Portugal as Manuel Francisco Steinbruck Pereira and Adriana Carolina Costa Silva Pereira, whilst others operated in Uruguay under Brazilian identities.
One posed as a model, another ran a jewellery business featured on Brazilian television.
Intelligence experts believe Russian authorities recalled many operatives as global focus intensified on Russian espionage following the Ukraine invasion.
Only Cherkasov remains imprisoned, serving a five-year sentence for document forgery.
Brazilian authorities used Interpol blue notices to expose the spies' identities globally, effectively ending their intelligence careers. The alerts circulated names, photographs and fingerprints to 196 member countries under the pretext of investigating fraudulent documents.
‘You're going to hear things about me’
Shmyrev escaped Brazil days before agents moved to arrest him in December 2022, leaving behind electronic devices containing crucial evidence and $12,000 cash – suggesting he planned to return. His last known contact was a phone call to his Brazilian girlfriend.
"You're going to hear things about me, but you need to know that I never did anything that bad. Like I never killed anyone or something like that. My past caught up with me,” he reportedly said.
Independent Russian outlet Agentstvo reported on May 22 that some exposed operatives have returned to Russia under their real names, with spy Olga Tyutereva now working as a teacher in the Magadan region.
The operation dealt a devastating blow to Moscow's "illegals" programme, eliminating highly trained officers who will be difficult to replace. With their covers blown, the operatives will most likely never work abroad again, according to intelligence experts.
Brazil's investigation spanned at least eight countries with intelligence cooperation from the US, Israel, Netherlands, Uruguay and other Western security services, demonstrating the global response to Russian espionage following the Ukraine invasion.
We know what Russia is doing and how it does it, EU intelligence centre chief tells Euronews
Copyright Bruno Gonçalves/Nascer do Sol
By Nuno Tiago Pinto
Published on 23/05/2025 -
In an interview with SOL newspaper and Euronews, the head of European intelligence explained that the Russian invasion of Ukraine has changed the way we think about and use intelligence services and argues that the EU can do more in this area — and that the 27 member states are ready to do so.
Earlier this year, after nine years at the head of Croatian intelligence, Daniel Markić was appointed director of the European Union Intelligence and Situation Centre (EU INTCEN), the closest thing the 27-member bloc has to a European intelligence service.
Reporting to the EU foreign policy chief Kaja Kallas, INTCEN monitors what happens inside and outside the EU and provides analyses and alerts to institutions, decision-makers, and member states regarding security, defence, and counterterrorism.
While in Lisbon to take part in a conference celebrating the 30th anniversary of the Strategic Intelligence and Defence Service (SIED), Markić gave an exclusive interview to Nascer do SOL and Euronews in which he identifies the main threats to the security of the EU, cooperation between intelligence services and explains what he sees as the future of the sector.
Euronews: What is INTCEN's role in the EU?
Daniel Markić: For the last 20 years, INTCEN has been a kind of intelligence fusion centre for the European Union. It used to be part of the (European) Council, but with the different reforms of the institutions, it is now part of the European External Action Service (EEAS).
The people who work at INTCEN come mostly from the security and intelligence services of the member states, and we work very closely with military intelligence (EUMS Intelligence Directorate) under an informal umbrella called SIAC, Single Intelligence and Analysis Capacity — and it works very well.
But now we think that what is being done in terms of intelligence may not be enough.
Euronews: Why is that?
Markić: We need to do more. The EU realised a few years ago that it is not just a global political and economic actor, but that it is potentially a security actor. In 2020, the first threat analysis was carried out, namely by SIAC.
It was revised in 2022 and we did a third version a few months ago. This proves that the EU was trying to think about threats in order to find solutions to deal with them.
Euronews: Are you talking about civilian or military threats? Because when we think about military threats we also think about NATO.
Markić: Globally, about all the threats. And then there's the famous strategic document, the (2022) Strategic Compass, which once again describes the EU's capacity. That's where we find a small part of the document that refers to SIAC as the only entry point for strategic intelligence in the EU.
We have to remember that, in terms of intelligence, for member states there is an important article in the Treaty on European Union, 4.2, which says that national security is a competence of states. Knowing all this, we have to find ways to give more. The EU needs more. And the member states are willing to give more.
Euronews: Are they?
Markić: Yes, they are.
Euronews: Has intelligence sharing always been a sensitive issue?
Markić: It is sensitive. But it exists and it works very well. I say this not only as director of INTCEN, but I've worked for the last nine years as director of a national intelligence and security service. And it works.
But when there's a feeling that the services don't do enough very often, it's because they don't communicate enough. We need to make intelligence more visible.
But to add to what I said earlier, everything is being done, and obviously it has become more than a necessity when we look at the threats, the most obvious of which is February 2022 and Russia's brutal attack on Ukraine.
Euronews: Do you believe that the attack has changed the way intelligence gathering and sharing is seen in the EU's decision-making process?
Markić: Absolutely. And one of the best examples is not necessarily in the EU. US intelligence and the UK intelligence community have started communicating information publicly, which is an important change. This is something that member states and the EU have a lot to learn from.
Euronews: This was also an attempt at pre-emptive action. As if to say to the other side "we know you're doing this, so don't do it".
Markić: Exactly.
Euronews: And it didn't work.
Markić: It didn't work but... I agree with you. And there are many different opinions in the intelligence community. It's no secret. Many EU services were convinced that (the full-scale invasion) wouldn't happen.
When it did, many people were surprised. But if we try to reflect on the messages sent by our Baltic friends, they told us. We just had to listen to them.
(Russian President Vladimir) Putin was very clear in all his speeches. And the same goes for other parts of Europe, for example, in the Western Balkans.
People like Putin are so proud of their intelligence. He's so proud of his own past in the secret services.
In the EU, intelligence is a bit of a dirty word. When you talk about intelligence, you whisper it. You shouldn't whisper.
When you meet the head of intelligence, you don't have to meet him at night. You have a normal meeting.
The secret services will never be the main tool of any political decision-maker, but they are one of the important specific tools he has. And I think EU decision-makers have to have it too. So we have to find ways to get the intelligence to them.
It's important to note that, even in the European institutions, brilliant people are working on security issues. But intelligence is a very specific area. Specific techniques are used, specific means of obtaining intelligence.
Euronews: Which INTCEN can't do.
Markić: Yes. But we have a very strong community of 27 member states. One of the specificities of security and intelligence in the EU - and maybe that's why it's a bit difficult at times - is that there are big differences.
When you look at any institution in the member states, the ministries, they are similar or the same in every country.
The Ministry of Agriculture in Portugal is similar to the one in Germany. Or the Defence Ministry. The security and intelligence community is different. They all have different legal frameworks.
Euronews: And different capacities and possibilities. There are things that the French can do that the Portuguese can't.
Markić: Exactly. But we have the ability to harness the best of each service for the common good. That's the role of INTCEN and SIAC.
When I was head of my national agency, I worked directly for the president and the prime minister, which is not easy, as you can imagine. But for me, if we have intelligence, it's to act, to use it or to react.
Having intelligence just for the database is useless. It's the same in the EU. We need to give the intelligence to the decision-maker, specifically to EU High Representative for Foreign Policy Kaja Kallas, but also to (Commission) President von der Leyen and (Council) President António Costa.
All these actors need to have the right data, at the right time, during the decision-making process. The EU is a strong actor.
Euronews: How do you act when there is a conflict of intelligence sent by different countries?
Markić: In terms of intelligence, it's not something that happens often. We may have different positions, a different political decision.
But in terms of raw information, it doesn't happen very often. What's more, the EU has a specificity. Intelligence in the EU is not as structured as it is in NATO, especially since NATO's reform of its intelligence services 10 years ago.
But we have an advantage. We don't necessarily need intelligence to be agreed upon by all states. We need to be able to use the information provided by a service, a community or a group of services and utilise it. And that's what we're doing.
Euronews: Can you assess whether there were differences in the way intelligence was viewed before and after the Russian invasion of Ukraine?
Markić: There was definitely a change. And, once again, going back to the fact that the intelligence is there for all to see and the need to utilise it.
This aggression, which is not just a war, but a long-term civilizational shock, has changed the way we think about intelligence and use intelligence.
Euronews: The Niinistö report on strengthening Europe's civilian and defence preparedness and readiness advocated the need to strengthen intelligence sharing.
Markić: In the report you'll find a section on SIAC. The report was a major effort to find a new solution that analysed the new threats. One of the problems was that the services were not visible enough. And that's the problem.
And that's why, in my communication with all the services, as I did yesterday in your external service, I talked about the need to communicate more.
My service, when I took over nine years ago, was very good, but very closed, without communication, so the image wasn't very good. We changed that through different initiatives. We made a public report, we sometimes communicated with the media. I think that's what the community should do in Europe.
So once again, the substance will always be for the decision-maker. But the fact that we co-operate, that we have intelligence - it's not just the other side, whatever they do, we can do even better - we have to communicate about it.
Euronews: Do you imagine that INTCEN will be a kind of European Intelligence Service?
Markić: It's hard for me to say. Once again, I'd go back to the famous Article 4.2 of the EU Treaty. I don't think it will happen because doing intelligence, especially abroad, requires a lot of elements in addition to know-how.
In the EU environment, it would be difficult. The EU institutions are very transparent, as they should be, but we still need to raise awareness of security issues. Organising missions like that from somewhere in the EU seems difficult to me.
Euronews: We've heard a lot about strengthening European defence, but we haven't heard about intelligence.
Markić: There was an initiative to strengthen intelligence, which was started three years ago by the member states, and we are working on it.
We created a joint document on strengthening the SIAC, a joint document by the High Representative and the states. So there is an initiative.
It's less visible because defence requires a lot of money. In terms of intelligence, we need more money, but you can't compare.
Euronews: What do you see as the main threats to European security?
Markić: First of all, I'll return to the subject of Russian aggression: it's a clash of civilisations, because we have the aggression itself, we have Russian hybrid activities, even in EU member states, which can sometimes be kinetic activities.
Euronews: Sabotage?
Markić: Among others.
Euronews: What kind?
Markić: We've reported on activities in Lithuania, the packages that exploded in the UK, some assassination attempts and other activities. Perhaps we tend to forget about cyber-attacks in the first place.
The Russians specialise in cyber-attacks, along with their criminal groups. And espionage. In Brussels we try to remind everyone of the importance of security and that espionage exists.
Euronews: State or industrial?
Markić: All kinds, depending on the actor. We have Russia, but also other actors. And when we look at what happened a few days ago in India and Pakistan, what has been happening in Africa, we can see that there are more and more threats.
I haven't mentioned the Middle East, but it's obviously important. And I can't help thinking about the operation that the Russians are carrying out in Ukraine and the reaction of the world, the EU, the US: it's evident that many actors have been watching everything for the last three years and may be tempted to do something.
Euronews: They might think that if the Russians can do it, so can they?
Markić: Definitely. And there are so many conflicts, so many tensions, that the fact that (you don't know) who the main actor is who can stop them is also an element.
Euronews: Do you also have a role in combating disinformation and propaganda?
Markić: Yes, we're not the only ones, there are other organisations in the EU that are working on this.
We had a recent case in Portugal during the blackout. In less than an hour there was fake news being spread in WhatsApp groups and on social media attributing the power failure to a Russian cyber-attack.
There is a tendency to make too many attributions and make Putin out to be a real superman. We have a clear vision, again working together with the 27 communities, of what Russia is doing and how it is doing it.
So it's good to be clear and not try to find Russia behind every stone. Putin would love that. He would have to utilise very few resources and use only social media to show his strength.
Euronews: I noticed that you didn't mention terrorism as a threat.
Markić: Because of this acute crisis, we don't talk about terrorism, but the fight against terrorism is one of the main tasks of the security services. It always remains a priority, but some crises are now more visible.
Euronews: But do you believe that groups like the so-called Islamic State group or Al Qaeda still have some influence on the hearts and minds of some people in our community?
Markić: Definitely. And in that sense, when these issues are less in the media, perhaps there are fewer young people tempted to follow in the footsteps of these movements. But it does exist and I can tell you that the intelligence services in the EU are active on this topic.
Euronews: How do you see the possibility of the return to Europe of foreign terrorist fighters and their families who are still in camps and prisons in Syria and Iraq?
Markić: It's a very important issue. It remains to be seen what the US will do in Syria, what will happen to the prisons.
Euronews: Because there are still thousands of people in Syria.
Markić: Exactly. What Turkey is going to do. There are many doubts, but we're all working on it.
Euronews: Should there be a common position among the member states?
Markić: I think we all have a very similar position.
Euronews: Some countries have already repatriated people. Others, like Portugal, haven't.
Markić: Yes, but the difference in numbers between countries can be enormous. Some countries are much more concerned. Not just because of the number of combatants, but also because of the women and children.
Euronews: If they remain in the camps, could these children be the next generation of terrorists?
Markić: Definitely. I'd just say that because I wouldn't want to give a political point of view. But in terms of security, what could happen to them is a big question. Not only if they stay, but even if they return to Europe.
No comments:
Post a Comment