Menu
Browse

Cyber Threat Actor: GURMO

Actor Type Location Known Incidents
 Icon
Nation State
Ukraine
1 incident
Profile

GURMO is a cyber threat actor linked to Ukraine, operating with affiliations to the country's military intelligence apparatus. Public reporting associates this group with a 2022 intrusion against Russia's Beloyarsk Nuclear Power Plant, marking its sole publicly documented operation. The breach targeted the facility's business network rather than its operational technology systems, extracting sensitive documentation including contracts, architectural blueprints, alarm system configurations, and control system setup guides. Beloyarsk's status as the sole commercial operator of fast breeder reactors globally elevated the strategic value of stolen technical specifications, potentially offering foreign competitors insights into advanced nuclear technology.

The exfiltrated data exposed vendor relationships and detailed infrastructure schematics, creating avenues for follow-on attacks against operational technology environments by revealing potential supply chain weaknesses. While the immediate objective centered on espionage through document theft, the compromise carried broader implications for geopolitical signaling by demonstrating access to critical Russian infrastructure during a period of heightened bilateral tensions. The operation's focus on nuclear energy infrastructure aligns with strategic intelligence gathering rather than immediate disruptive or destructive aims, though the exposed control system details could theoretically lower barriers for future adversarial actions against industrial processes.

GURMO's affiliation with Ukrainian military intelligence provides contextual motivation for targeting Russian critical infrastructure, though no additional campaigns beyond the Beloyarsk intrusion have been publicly attributed. The absence of disclosed malware families, intrusion vectors, or persistent tooling in available reporting limits technical characterization of the group's tradecraft. This single operation demonstrates deliberate targeting of sensitive nuclear sector documentation with potential dual-use value for both intelligence purposes and competitive technological advantage.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources