UK sanctions Russian cyber spies accused of facilitating murders

Editor's Note: Story updated 9:15 a.m. Eastern U.S. time with additional details and names of sanctioned individuals.

The British government sanctioned 18 Russian military intelligence officers on Friday, alleging their units were responsible for cyber reconnaissance operations including those leading to hundreds of murders through the targeting of civilians in Ukraine.

Three units of the GRU have been sanctioned, alongside officers whom the British authorities said were responsible for hacking the personal device of Yulia Skripal — the daughter of GRU defector Sergei Skripal — five years before Russia’s failed attempt to murder the pair in Salisbury using the Novichok nerve agent.

David Lammy, Britain’s foreign secretary, in a statement said the sanctions are a message to Russia: “The Kremlin should be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re taking decisive action with sanctions against Russian spies.

“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the safety of British citizens. Putin’s hybrid threats and aggression will never break our resolve. The UK and our Allies support for Ukraine and Europe’s security is ironclad,” added Lammy.

The GRU units sanctioned by the British government include Unit 26165, which was accused of having “conducted online reconnaissance to help target missile strikes against Mariupol — including the strike that destroyed the Mariupol Theatre where hundreds of civilians, including children, were murdered.”

The Council of the European Union and the North Atlantic Council — effectively the political representative bodies of the EU and NATO — issued statements of solidarity in support of the United Kingdom, and condemning the Russian cyber operations.

Of the 18 members of the GRU, more than a dozen have previously been publicly identified and indicted by the U.S. Department of Justice for their involvement with Unit 29155 and Unit 26165. Some of the names of the GRU officers appear to have not previously been publicly linked to Russian intelligence.

The British government said Russia has “targeted media outlets, telecoms providers, political and democratic institutions, and energy infrastructure” across the United Kingdom, and that the country and its “international allies are watching Russia and are countering their attacks both publicly and behind the scenes.”

Devastating real-world consequences

The GRU “routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world with devastating real-world consequences,” the British government said on Friday.

Three units known to be involved in the GRU’s malicious cyber operations were included in the sanctions package:

• Unit 74455, also known as Voodoo Bear and Sandworm and considered one of the world’s most destructive hacking groups.
• Unit 26165, also known as Fancy Bear and Blue Delta and accused of attempting digital break-ins at multiple Western logistics firms.
• Unit 29155, allegedly behind the the data-destroying WhisperGate malware targeting Ukraine before the full-scale invasion in January 2022.

It comes as the U.K.’s National Cyber Security Centre — a part of the signals and cyber intelligence agency GCHQ — also reveals that GRU Unit 26165 was responsible for deploying sophisticated malware it calls AUTHENTIC ANTICS as part of its operations.

A previous analysis of the malware by NCSC, before the technical attribution to Unit 26165,  said it was “specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity” that works by “sending emails from the victim’s account to an actor-controlled email address without the emails showing in the ‘sent’ folder.”

The malware “demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” said the NCSC’s director of operations, Paul Chichester, who added that the agency’s “investigations of GRU activities over many years show that network defenders should not take this threat for granted and that monitoring and protective action is essential for defending systems.”

The sanctioned GRU personnel are::

Andrey Eduardovich Baranov, Unit 26165 
Vladislav Yevgenyevich Borovkov, Unit 29155 
Yuriy Federovich Denisov, Unit 29155 
Nikolay Aleksandrovich Korchagin, Unit 29155 
Anatoliy Sergeyevich Kovalev, Unit 74455
Aleksey Viktorovich Lukashev, Unit 26165
Artem Andreyevich Malyshev, Unit 26165
Dmitriy Aleksandrovich Mikhaylov (unit not specified)
Aleksey Sergeyevich Morenets, Unit 26165
Sergey Aleksandrovich Morgachev, Unit 26165
Viktor Borisovich Netyksho, Unit 26165
Artem Valeryvich Ochichenko, Unit 74455
Aleksandr Vladimirovich Osadchuk, Unit 74455
Yevgeniy Mikhaylovich Serebriakov, Unit 74455
Vitaly Aleksandrovich Shevchenko, Unit 29155
Yuriy Leonidovich Shikolenko, (unit not specified)
Sergey Sergeyevich Vasyuk, Unit 26165
Ivan Sergeyevich Yermakov, Unit 26165

The majority of the individuals already feature either in U.S. Department of Justice indictments against the GRU or are named on the FBI’s Most Wanted list.

Three of the men do not seem to have previously been named in English-language reports: Andrey Eduardovich Baranov; Yuriy Leonidovich Shikolenko; and Sergey Sergeyevich Vasyuk. However, Shikolenko was identified last year by the German magazine Stern as a senior officer in Unit 26165.

The British government said on Friday that in addition to the GRU Units and officers it was also sanctioning three leaders of “African Initiative” which was described as “a social media content mill established and funded by Russia and employing Russian intelligence officers to conduct information operations in West Africa. This includes reckless attempts to undermine lifesaving global health initiatives in the region by pushing baseless conspiracy theories to further the Kremlin’s political agenda.”