A Russian hacker group has attacked a Turkish unit of NATO's Rapid Deployment Force (a force the alliance operates to serve war response needs), according to information from US cybersecurity firm Palo Alto Networks.

It is not yet clear whether the hackers were successful, and the NATO alliance did not respond to requests for comment. However, Michael Sikorski, chief technology officer of Unit 42, Palo Alto Networks’ threat intelligence division, said the unit likely had “uninterrupted communication” with NATO headquarters, making it an ideal target for Russian spies.

US officials believe the hacker group operates under the command of Russia's GRU military intelligence agency. Palo Alto Networks said the group has targeted critical government infrastructure in at least 10 NATO member countries over the past several months.

Analysts say the long-running spying campaign shows that, after European and US governments expelled many Russian agents from their country, the Russian government has increasingly emphasized the importance of remote intelligence gathering through hacking. Even in Ukraine, Russian forces have gathered intelligence on diplomats through hacker groups.

“To know what government communications are going on with Kyiv, they can best be collected from places that have a direct line of communication,” said Dan Black, a former NATO cybersecurity official who now works for the security firm Mandiant. He said a hacking unit linked to Russia’s foreign intelligence service “went full throttle” in its attacks on foreign diplomats to gather intelligence before Ukraine launched its counteroffensive in June.

Some of the cyberattacks began months ago, but analysts say the threat remains even as the war between Russia and Ukraine has largely ended. Russia is still using a number of techniques and software vulnerabilities to attack Microsoft email servers and other technology infrastructure, and the results show that the measures have been somewhat effective.

Russia’s cyber espionage operations in support of its war with Ukraine were exposed after the US Justice Department announced charges on Thursday against a Russian intelligence officer and a Russian IT employee in separate cyber espionage campaigns that included spying on US government officials and interfering in a British national election.

The U.S. Embassy in Kyiv provides U.S. support for Ukraine’s cyber defenses against attacks by Russian hackers. Hackers linked to Russia’s SVR foreign intelligence agency attempted to compromise the U.S. Embassy in Kyiv’s email account this spring, according to Palo Alto Networks.

A State Department spokesperson said the State Department's Bureau of Diplomatic Security "is aware of this activity and, based on analysis by the Directorate for Cybersecurity and Technology, has determined that these activities did not impact State Department systems or accounts."

Tony Adams, chief security researcher at security firm Secureworks, said the SVR-linked hacker group had also attempted to infiltrate “a number of prominent humanitarian organizations in Ukraine.”

“A successful penetration of any of those organizations would probably yield some immediate intelligence, but then… they could also leverage that successful penetration to continue to carry out necessary operations later,” said Mr. Adams.

The Russian Embassy in Washington DC has not responded to requests for comment.

As a conduit for weapons and aid to Ukraine, Poland has also been repeatedly attacked by Russian cyber intelligence throughout the war, according to Polish cybersecurity experts and officials.

The hackers used similar techniques to those used to attack NATO's Rapid Deployment Force and also targeted “a wide range” of government agencies and private companies in Poland and other countries, “including companies and government agencies that cooperate with the Polish Armed Forces,” said Przemysław Lipczyński, a spokesman for the Polish Cyber ​​Directorate.

Polish officials have outlined steps to “eliminate the threat,” but Mr. Lipczyński said: “We have determined that these techniques are still being used by the enemy.”

Russia's changing cyber tactics

Russian cyberattacks targeting American and European diplomats coincide with a shift in cyber activity inside Ukraine as the Ukrainian military's offensive stalls, U.S. and Ukrainian officials say.

Russia has recalibrated its cyber operations in Ukraine, from carrying out mass destructive attacks on infrastructure in the early days of the war to more precise cyber espionage in recent months as Russian intelligence agencies try to locate and kill soldiers on the battlefield.

Russia has not abandoned its destructive cyberattacks against Ukraine. But its cyber operations have shifted their focus. “That intelligence is important,” said a U.S. Defense Department official with a cybersecurity role. “So it’s not surprising that Russia is trying to focus on analyzing Ukraine’s movements and communications.”

The Russian tactical shift coincides with a major Ukrainian counteroffensive that began in June to retake territory in eastern Ukraine, but has continued to this day as Russian and Ukrainian forces have entered a stalemate. The shift highlights the importance of more subtle operations—gathering intelligence covertly rather than shutting down entire networks—in war.

Officials and private cybersecurity experts described attempts to penetrate Ukraine’s battlefield communications systems over the past four months, including an attack on tablets used by Ukrainian officers to plan missions and a software platform used by Ukrainian forces to track Russian forces.

Illia Vitiuk, head of the cyber security department of Ukraine’s SBU intelligence service, said the agency had prevented attempts to hack into the Russian tablets. If those measures had not worked, Russia could have collected all the vital communications information used by Ukrainian forces on the battlefield.

US and Ukrainian cyber forces have also played an active role in the fight.

“Sometimes, if necessary, we not only collect intelligence but also destroy the enemy’s cyber infrastructure with our cyber weapons,” Vitiuk said. He declined to elaborate on these destructive cyber attacks.

The head of the Cyber ​​Directorate, the US military’s cyberattack arm, said last year that the agency had carried out offensive cyber operations to support Ukraine as the country defended against Russian attacks.

Yegor Aushev, director of a private cybersecurity company in Ukraine, said he has been training Ukrainian officials in cyberattack capabilities for months.

“To defend effectively, you have to know how to attack,” he said. He declined to provide details about how the Ukrainian government is using these training programs on the battlefield.

US officials and experts have said a series of Russian cyber attacks have been repelled by Ukraine, after years of the country beefing up its cyber defenses.

US military assistance to Ukraine on cybersecurity continues as the war in Ukraine enters winter.

“We have had a number of direct discussions with Ukraine,” a US defense official said. “The Cyber ​​Directorate continues to support the Ukrainian government in its cyber defense efforts.”

Nguyen Quang Minh (according to CNN)