Russian hackers targeted NATO forces and diplomats to aid Ukraine war effort

Hackers linked with Russian military and spy agencies have been on a spree in recent months to gather up intelligence that could help the Kremlin’s war effort in Ukraine by trying to infiltrate NATO, US and European government networks, cybersecurity experts who have responded to the hacks told CNN.

One Russian hacking group targeted the Turkish unit of NATO’s Rapid Deployable Corps, forces the alliance keeps on standby for war-fighting, according to US cybersecurity firm Palo Alto Networks, which shared its findings exclusively with CNN.

Another Russian group has targeted nearly two-dozen embassies in Kyiv over the last nine months, including the US embassy, Palo Alto Networks and other security firms have said.

It was unclear if the hackers successfully breached the NATO forces; the alliance did not respond to multiple requests for comment. But the unit would likely have “near-continual communications” with NATO headquarters, making it a coveted target for Russian spies, said Michael Sikorski, the chief technology officer of Unit 42, Palo Alto Networks’ threat intelligence division.

The hacking group – which US officials say operates on behalf of Russia’s GRU military intelligence agency – has targeted governments and critical infrastructure for secrets in at least 10 NATO countries in the last several months, according to Palo Alto Networks.

The long running espionage campaigns show how, after European and American governments have expelled numerous Russian agents from their soil, the importance for the Kremlin of gathering intelligence remotely via hacking has grown, analysts said. And within Ukraine, after being repelled from taking Kyiv in February 2022, Russian forces are collecting intelligence remotely on diplomats in the capital through their hacking teams.

“If you want to understand the conversation that governments are having with Kyiv, you’d be best to collect it from the place where it’s going to be cabled out,” Dan Black, a former NATO cyber official who now works for security firm Mandiant, told CNN. A hacking unit tied to Russia’s foreign intelligence service “went into hyperdrive” in targeting foreign diplomats to try to gather intelligence ahead of Ukraine’s counteroffensive against Russian troops in June, Black said.

The hacking campaigns in some cases began many months ago, but the threat is ongoing amid Russian and Ukrainian fighting that is largely deadlocked, analysts told CNN. The Russian computer operatives are using some of the same techniques and software exploits to target Microsoft email servers and other tech infrastructure, suggesting they are at least somewhat effective.

The Russian cyber-espionage offensives to support the Ukraine war come as the US Justice Department on Thursday announced charges against one Russian intelligence officer and one Russian IT worker for separate hacking campaigns to spy on US government officials and interfere in a national election in the United Kingdom.

The US embassy in Kyiv has been a hub for US support for Ukraine’s cyber defenses against Russian hacking. Hackers linked with Russia’s SVR foreign intelligence service tried to break into an email account at the US embassy in Kyiv last spring, according to Palo Alto Networks.

The State Department’s Diplomatic Security Service “was aware of the activity and based on the Directorate of Cyber and Technology Security’s analysis found it did not affect Department systems or accounts,” a State Department spokesperson told CNN in an email.

Reuters first reported on that particular hacking campaign against Kyiv-based diplomats.

The same Russian SVR-linked hacking group has also tried to infiltrate “prominent humanitarian organizations based in Ukraine,” according to Tony Adams, a senior security researcher at security firm Secureworks, who has responded to the hacking.

“Access to any of these entities would likely provide immediate intelligence gain, but then … could be used to conduct follow-on activities,” Adams told CNN.

The Russian embassy in Washington, DC, did not respond to requests for comment.

As a key conduit for delivering weapons and aid to Ukraine, Poland has also been a repeated target of Russian cyber-espionage throughout the war, cybersecurity experts and Polish officials told CNN.

Hackers using the same techniques as against the NATO Rapid Deployable Corps have also targeted “numerous” government agencies and private firms in Poland and elsewhere, “including those cooperating with the Polish Armed Forces,” Lt. Col. Przemysław Lipczyński, a spokesperson for the Polish Cyber Command, told CNN.

Polish officials have taken steps “to eliminate the threat,” but “we assess that this technique is still actively used by the adversary,” Lipczyński said.

Shift in Russia’s cyber tactics

The Russian hacking efforts against US and European diplomats have coincided with a shift in cyber operations within Ukraine itself amid the Ukrainian military’s stalled counteroffensive, Ukrainian and US officials told CNN.

Russia has recalibrated its cyber operations in Ukraine from a barrage of destructive hacks against infrastructure in the early days of the Kremlin’s invasion to relying in recent months on more pinpoint cyber-espionage as Russian spy agencies try to locate and kill soldiers on the battlefield, Ukrainian officials and private experts told CNN.

Russia has not abandoned destructive cyberattacks in Ukraine, which continue, experts told CNN. But the focus of Russian cyber operations has shifted. “That intelligence is important,” a US defense official focused on cybersecurity told CNN. “So, it’s unsurprising that Russia would continue to focus on understanding better Ukrainian maneuvers and communications.”

The shift in Russian tactics corresponded with a major counteroffensive the Ukrainian military began in June to try to regain territory in the east of Ukraine but continues today amid an effective stalemate between Ukrainian and Russian forces. It shows the important role that subtler cyber operations – quiet intelligence gathering rather than bringing networks down – can play in warfare, analysts told CNN.

Officials and private cyber experts described to CNN multiple attempts in the last four months by Russian hackers to infiltrate Ukrainian battlefield communications. That included attempts to hack the tablets that Ukrainian commanders use for planning combat missions and targeting a software platform that Ukrainians use to track Russian forces.

Ukraine’s SBU intelligence service blocked the Russian attempt to break into battlefield tablets, Illia Vitiuk, the head of the SBU’s cybersecurity division, asserted. If the defensive measures hadn’t worked, he told CNN, the Russians would have “full access” to critical communications that the Ukrainians use in battle.

US and Ukrainian cyber forces have also been active in the war.

“Sometimes, when necessary, we go beyond collecting intelligence and destroy enemy infrastructure with our cyber weapons,” Vitiuk told CNN. He declined to elaborate on those claimed destructive hacks.

Cyber Command, the US military’s hacking unit, has conducted offensive cyber operations in support of Ukraine as it defends itself from Russian attacks, the head of the command confirmed last year.

Yegor Aushev, a private cybersecurity executive in Ukraine, told CNN he has trained Ukrainian officials on offensive cyber capabilities for several months.

“If you want to be protected you should know how to attack,” Aushev said. He declined to give details on how the Ukrainian government was using that training on the battlefield.

Many of the flurry of Russian cyberattacks have been repelled by the Ukrainians, whose defenses have improved considerably in recent years, according to US officials and outside experts.

The US military’s support for Ukraine in cyberspace continues as the fighting in Ukraine enters another winter.

“We’ve had a number of in-person conversations with the Ukrainians,” the US defense official said. “Cyber Command is still persistently assisting the Ukrainians with their cyber defense.”

For more CNN news and newsletters create an account at