Menu
Browse

Cyber Threat Actor: GRU-backed hackers

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
2 incidents
Profile

The threat actor is publicly linked tothe GRU, Russia’s military intelligence service, and appears in open sources under the aliases GRU-backed hackers and Hackers rusos. Attribution assessments consistently describe the group as operating under Russian state direction rather than as an independent criminal enterprise. No public information indicates that the actor pursues profit‑motivated goals such as ransom or data resale. Its activities are therefore characterized as serving strategic state interests, most commonly associated with intelligence collection or preparatory access to critical infrastructure.

The actor has been observed targeting telecommunications and electricity sectors in both South America and Europe. In November 2022 the Argentine satellite operator ARSAT suffered an intrusion into its internal corporate systems that occurred hours before a high‑profile World Cup match, prompting a precautionary system‑wide shutdown although no customer data or services were affected and no ransom demand was made. ARSAT maintains critical operations for military telecommunications, Antarctic base connectivity, and national broadcast services, which remained functional throughout the incident. A separate operation in mid‑2017 saw senior engineers at Ireland’s Electricity Supply Board receive spear‑phishing emails that mimicked legitimate internal traffic, a tactic described as relying on extensive pre‑attack surveillance of the organization’s practices. The objective of that effort was to gain footholds in energy‑network control systems, with analysts noting that successful compromise could have allowed disruption of power supplies in parts of Northern Ireland.

Across these incidents the group’s initial access relies on deceptive email messages that deliver malicious payloads, though the specific malware families or tool kits employed are not disclosed in the referenced reports. The emphasis appears to be on tailored social engineering rather than widespread exploit deployment, reflecting a focus on precision over volume. The absence of public claims of responsibility or financial extortion associated with the ARSAT and ESB incidents indicates that the intrusions were not financially motivated. Collectively, the known activity demonstrates a recurring pattern of attempts to probe and penetrate strategic networks in disparate geographic regions.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources