Russian military hackers codenamed 'Fancy Bear' behind sustained cyber attacks targeting UK firms

21 May 2025, 15:19 | Updated: 21 May 2025, 16:01

A Russian military cyber unit codenamed Fancy Bear has carried out a string of cyber attacks on UK defence, transport hubs and shipping over the last two years, GCHQ has said.

The "malicious" campaign also targeted those involved in the delivery of foreign assistance to Ukraine, it has been revealed.

Maritime, air traffic management, and IT services were also exposed as targets.

The Russian military unit 2616 has also been dubbed APT28, Fancy Bear, Forest Blizzard, `BlueDelta, and other codenames by the cyber intelligence community.

They used a variety of covert tactics and techniques over the last two years to target an array of UK organisations.

Read more: Putin visits Kursk for first time since Ukrainian forces driven out - after Russian missile strike kills six

Read more: UK businesses 'ignore free advice' to stop cyber attacks, GCHQ warns as M&S still reels from major hack

It was exposed today by the UK government and international allies, who laid bare a list of western companies targeted by the military hackers.

Attacks began in February 2022, when multiple hackers sponsored by the Russian ramped up their espionage activity to cause "destruction" and spread "influence", according to GCHQ.

It came as Russian military forces "failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defence", UK cyber security chiefs said.

This was when the Russian units targeted logistics and technology companies involved in the delivery of aid.

They also targeted internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.

'Serious risk to targeted organisations'

Paul Chichester, the National Cyber Security Centre's (NCSC) Director of Operations, said: "This malicious campaign by Russia’s military intelligence service presents a serious risk to targeted organisations, including those involved in the delivery of assistance to Ukraine. 

"The UK and partners are committed to raising awareness of the tactics being deployed.

"We strongly encourage organisations to familiarise themselves with the threat and mitigation advice included in the advisory to help defend their networks."

It comes after a string of attacks on UK retailers.

Richard Horne, the NCSC's chief executive, warned this week these incident “must give us pause … not because they are unique, but because they are not."Mr Horne stressed that while guidance is freely available on the NCSS website, it is not being following "nearly enough across the UK".

"There is a widening gap between the increasing cyber risks we face and our ability to defend ourselves against them.

"Every organisation must operate in a way that minimises the risks of an incident and know in advance how they would respond — and continue to operate — were an attack to get through."