{ "id": "6797f0a1-cd0b-476f-9796-7e081a04c57c", "created_at": "2026-04-06T00:19:04.006836Z", "updated_at": "2026-04-10T03:37:50.232581Z", "deleted_at": null, "sha1_hash": "fdb5c86e529dd2bfaf12a0c3a402fbcdd57c0514", "title": "UK sanctions Russian cyber spies accused of facilitating murders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 100421, "plain_text": "UK sanctions Russian cyber spies accused of facilitating murders\r\nBy Alexander Martin\r\nPublished: 2025-07-18 · Archived: 2026-04-05 21:04:12 UTC\r\nEditor's Note: Story updated 9:15 a.m. Eastern U.S. time with additional details and names of sanctioned\r\nindividuals.\r\nThe British government sanctioned 18 Russian military intelligence officers on Friday, alleging their units were\r\nresponsible for cyber reconnaissance operations including those leading to hundreds of murders through the\r\ntargeting of civilians in Ukraine.\r\nThree units of the GRU have been sanctioned, alongside officers whom the British authorities said were\r\nresponsible for hacking the personal device of Yulia Skripal — the daughter of GRU defector Sergei Skripal —\r\nfive years before Russia’s failed attempt to murder the pair in Salisbury using the Novichok nerve agent.\r\nDavid Lammy, Britain’s foreign secretary, in a statement said the sanctions are a message to Russia: “The Kremlin\r\nshould be in no doubt: we see what they are trying to do in the shadows and we won’t tolerate it. That’s why we’re\r\ntaking decisive action with sanctions against Russian spies.\r\n“GRU spies are running a campaign to destabilise Europe, undermine Ukraine’s sovereignty and threaten the\r\nsafety of British citizens. Putin’s hybrid threats and aggression will never break our resolve. The UK and our\r\nAllies support for Ukraine and Europe’s security is ironclad,” added Lammy.\r\nThe GRU units sanctioned by the British government include Unit 26165, which was accused of having\r\n“conducted online reconnaissance to help target missile strikes against Mariupol — including the strike that\r\ndestroyed the Mariupol Theatre where hundreds of civilians, including children, were murdered.”\r\nThe Council of the European Union and the North Atlantic Council — effectively the political representative\r\nbodies of the EU and NATO — issued statements of solidarity in support of the United Kingdom, and condemning\r\nthe Russian cyber operations.\r\nOf the 18 members of the GRU, more than a dozen have previously been publicly identified and indicted by the\r\nU.S. Department of Justice for their involvement with Unit 29155 and Unit 26165. Some of the names of the GRU\r\nofficers appear to have not previously been publicly linked to Russian intelligence.\r\nThe British government said Russia has “targeted media outlets, telecoms providers, political and democratic\r\ninstitutions, and energy infrastructure” across the United Kingdom, and that the country and its “international\r\nallies are watching Russia and are countering their attacks both publicly and behind the scenes.”\r\nDevastating real-world consequences\r\nThe GRU “routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and\r\nacross the world with devastating real-world consequences,” the British government said on Friday.\r\nhttps://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine\r\nPage 1 of 4\n\nThree units known to be involved in the GRU’s malicious cyber operations were included in the sanctions\r\npackage:\r\nUnit 74455, also known as Voodoo Bear and Sandworm and considered one of the world’s most destructive\r\nhacking groups.\r\nUnit 26165, also known as Fancy Bear and Blue Delta and accused of attempting digital break-ins at\r\nmultiple Western logistics firms.\r\nUnit 29155, allegedly behind the the data-destroying WhisperGate malware targeting Ukraine before the\r\nfull-scale invasion in January 2022.\r\nIt comes as the U.K.’s National Cyber Security Centre — a part of the signals and cyber intelligence agency\r\nGCHQ — also reveals that GRU Unit 26165 was responsible for deploying sophisticated malware it calls\r\nAUTHENTIC ANTICS as part of its operations.\r\nA previous analysis of the malware by NCSC, before the technical attribution to Unit 26165,  said it was\r\n“specifically designed to enable persistent endpoint access to Microsoft cloud accounts by blending in with\r\nlegitimate activity” that works by “sending emails from the victim’s account to an actor-controlled email address\r\nwithout the emails showing in the ‘sent’ folder.”\r\nThe malware “demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU,” said\r\nthe NCSC’s director of operations, Paul Chichester, who added that the agency’s “investigations of GRU activities\r\nover many years show that network defenders should not take this threat for granted and that monitoring and\r\nprotective action is essential for defending systems.”\r\nThe sanctioned GRU personnel are::\r\nAndrey Eduardovich Baranov, Unit 26165 \r\nVladislav Yevgenyevich Borovkov, Unit 29155 \r\nYuriy Federovich Denisov, Unit 29155 \r\nNikolay Aleksandrovich Korchagin, Unit 29155 \r\nAnatoliy Sergeyevich Kovalev, Unit 74455\r\nAleksey Viktorovich Lukashev, Unit 26165\r\nArtem Andreyevich Malyshev, Unit 26165\r\nDmitriy Aleksandrovich Mikhaylov (unit not specified)\r\nAleksey Sergeyevich Morenets, Unit 26165\r\nSergey Aleksandrovich Morgachev, Unit 26165\r\nViktor Borisovich Netyksho, Unit 26165\r\nArtem Valeryvich Ochichenko, Unit 74455\r\nAleksandr Vladimirovich Osadchuk, Unit 74455\r\nYevgeniy Mikhaylovich Serebriakov, Unit 74455\r\nVitaly Aleksandrovich Shevchenko, Unit 29155\r\nYuriy Leonidovich Shikolenko, (unit not specified)\r\nSergey Sergeyevich Vasyuk, Unit 26165\r\nIvan Sergeyevich Yermakov, Unit 26165\r\nhttps://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine\r\nPage 2 of 4\n\nThe majority of the individuals already feature either in U.S. Department of Justice indictments against the GRU\r\nor are named on the FBI’s Most Wanted list.\r\nThree of the men do not seem to have previously been named in English-language reports: Andrey Eduardovich\r\nBaranov; Yuriy Leonidovich Shikolenko; and Sergey Sergeyevich Vasyuk. However, Shikolenko was identified\r\nlast year by the German magazine Stern as a senior officer in Unit 26165.\r\nThe British government said on Friday that in addition to the GRU Units and officers it was also sanctioning three\r\nleaders of “African Initiative” which was described as “a social media content mill established and funded by\r\nRussia and employing Russian intelligence officers to conduct information operations in West Africa. This\r\nincludes reckless attempts to undermine lifesaving global health initiatives in the region by pushing baseless\r\nconspiracy theories to further the Kremlin’s political agenda.”\r\nAlexander Martin\r\nis the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and a fellow\r\nat the European Cyber Conflict Research Initiative, now Virtual Routes. He can be reached securely using Signal\r\non: AlexanderMartin.79\r\nhttps://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine\r\nPage 3 of 4\n\nSource: https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine\r\nhttps://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine" ], "report_names": [ "uk-sanctions-gru-personnel-accused-murder-civilians-ukraine" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434744, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fdb5c86e529dd2bfaf12a0c3a402fbcdd57c0514.pdf", "text": "https://archive.orkl.eu/fdb5c86e529dd2bfaf12a0c3a402fbcdd57c0514.txt", "img": "https://archive.orkl.eu/fdb5c86e529dd2bfaf12a0c3a402fbcdd57c0514.jpg" } }