Fancy Bear: The Shadow Arm of Russian Military Intelligence in the Digital War on Ukraine

As the war in Ukraine escalates across traditional and hybrid fronts, cyber warfare has emerged as a key battleground. Amongst the most feared actors in this domain is Fancy Bear—a codename used by cybersecurity researchers to describe a prolific hacking group tied to Russia’s military intelligence agency, the GRU (Main Directorate of the General Staff of the Armed Forces of the Russian Federation). Over the past decade, Fancy Bear has conducted high-profile cyberattacks against governments, political institutions, media outlets and NGOs across the world. Its latest operations, reportedly involving the infiltration of Ukrainian CCTV and traffic surveillance systems to assist military targeting, signal a dramatic evolution in both its capabilities and strategic intent.

Origins and Attribution

Fancy Bear, also known by aliases such as APT28, STRONTIUM, and Sofacy, first came to international attention around 2014, although its activities are believed to date back as far as 2007. It has been definitively linked by Western intelligence agencies to the GRU’s 85th Main Special Service Center (GTsSS), particularly Unit 26165, which specialises in signals intelligence.

This attribution is supported by overlapping forensic indicators, including malware signatures, operational methods and infrastructure reuse. Leaks and indictments by the US Department of Justice—particularly those related to interference in the 2016 US presidential election—have further substantiated Fancy Bear’s direct ties to Russian state operations.

High-Profile Operations

Fancy Bear’s cyber footprint spans multiple continents and theatres. Notable operations include:

• The 2016 US Presidential Election Interference: Fancy Bear was behind the hack-and-leak operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s campaign. Stolen emails were disseminated via proxy platforms like WikiLeaks, shaping the information landscape during a critical election period.

  
  

• Cyber Espionage in Europe: Between 2014 and 2017, Fancy Bear targeted the German Bundestag, the French television network TV5Monde and multiple ministries across Eastern Europe. Their objectives often aligned with geopolitical milestones, such as EU-NATO summits or elections.

  
  

• The Olympic Doping Retaliation: After Russian athletes were banned for doping, Fancy Bear leaked World Anti-Doping Agency (WADA) data and medical files of Western athletes, as part of a retaliatory disinformation campaign.

  
  

• Cyber Operations Against Ukraine: Since 2014, Fancy Bear has maintained a persistent and evolving campaign against Ukrainian targets, including government ministries, defence systems, election infrastructure and media organisations.

Tactics, Techniques, and Procedures (TTPs)

Fancy Bear’s hallmark is its adaptability. The group is known for:

• Spear Phishing Campaigns: These are highly targeted emails that often mimic trusted contacts or institutions. They are typically used to deliver malware such as Sednit, X-Agent, and X-Tunnel when a link is clicked on or an attachment opened.

• Credential Harvesting: Fancy Bear has conducted massive login credential theft campaigns to gain access to sensitive networks, often through the use of fake login portals or compromised websites.

  
  

• Zero-Day Exploits: The group has employed previously unknown vulnerabilities in Microsoft Office, Adobe Flash, and Android OS to gain initial access.

  
  

• Use of Open Source Tools: In recent years, Fancy Bear has shifted to manipulating more open-source and publicly available tools (for example by creating malicious clones of open-source software), to obfuscate attribution.

  
  

• Timing and Geolocation Manipulation: Operations are sometimes executed using techniques designed to mislead analysts about the origin or intent of the attack—such as adjusting time stamps or spoofing language settings.

Targeting NGOs and Civil Society

One of the most concerning developments is Fancy Bear’s increasing focus on civil society organisations that support Ukraine. These include:

• Humanitarian NGOs: Organisations providing medical aid, refugee assistance, and war crimes documentation have reported phishing attempts, malware intrusions, and data thefts.

  
  

• Media and Research Institutes: Ukrainian and international media outlets covering Russian atrocities have been compromised in attempts to leak or alter reporting.

  
  

• Digital Infrastructure of Civil Resistance: Hacking campaigns have targeted local government websites, civilian alert systems and Apps used by volunteers and resistance coordinators.

These efforts reflect Russia’s aim not just to disable military targets, but to destabilise the very networks that sustain Ukrainian society's resilience to Russia's invasion.

Infiltration of Surveillance Systems

In 2025 reports began to emerge that Fancy Bear, or a related GRU-affiliated unit, had succeeded in infiltrating municipal surveillance infrastructure in Ukraine—specifically CCTV, traffic cameras, and smart city systems. The implications are profound:

• Battlefield Targeting: Ukrainian intelligence believes that hacked cameras were used to track military vehicle movements and civilian evacuation routes in real-time, enabling more accurate artillery strikes.

  
  

• Psychological Warfare: The manipulation of civilian surveillance systems spreads fear and undermines trust in government institutions and local infrastructure.

  
  

• Command Disruption: Disabling or misleading surveillance feeds can hamper coordination between emergency services and local authorities, particularly during missile strikes or evacuations.

  
  

• False-Flag Operations: In some instances, Russian-aligned actors have reportedly used hijacked surveillance systems to stage fabricated events or confuse attribution in sensitive operations.

These actions mark a convergence of cyber warfare, kinetic operations and psychological operations—blurring the line between virtual and physical battlefields.

International Response and Countermeasures

Western states and Ukraine have stepped up cybersecurity collaboration. The European Union Agency for Cybersecurity (ENISA) and US Cyber Command have issued joint advisories on GRU tactics. Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) has partnered with private sector actors like Microsoft and Google to harden digital infrastructure.

However Fancy Bear’s persistent evolution complicates defensive efforts. The group exploits not just software vulnerabilities but also human weaknesses—social engineering, trust and fatigue.

There is also a political dimension: countering Fancy Bear means confronting the GRU, and therefore the Kremlin (to whom the GRU reports directly). Sanctions and indictments (such as the 2018 US indictment of 12 GRU officers) have symbolic value, but limited deterrent effect in a war context.

Conclusion: The Digital Long War

Fancy Bear exemplifies the modern character of Russian warfare—covert, asymmetric and deeply integrated with state strategy. It operates not just as a cyber unit but as a tool of psychological influence, battlefield enabler, and disruptor of civil society.

Its latest operations in Ukraine reveal the group’s growing ambition and technical reach. From stealing documents to surveilling cities, Fancy Bear reflects how cyber conflict is now inseparable from geopolitical conflict. Ukraine, standing as the frontline of democratic resilience, remains both a testing ground and a target for these shadowy tools of war.

For Ukraine and her allies, the fight against Fancy Bear will require not only firewalls and patches but sustained vigilance, strategic investment in cyber resilience and global solidarity in confronting authoritarian hybrid threats.