Cyber Threat Actor: Main Intelligence Directorate (HUR)
| Actor Type | Location | Known Incidents |
Nation State
|
Ukraine
|
8 incidents |
|---|
Profile
The threat actor is known as the Main Intelligence Directorate (HUR) of Ukraine, also referred to as GUR, Defense Intelligence of Ukraine, or Ukrainian Military Intelligence. It is a state intelligence agency operating from Ukraine. Public reporting attributes to this actor a series of cyber operations against Russian entities across multiple sectors. Targeted sectors include energy companies such as Gazprom and Lukoil, telecommunications providers like MegaFon, Rostelecom, MTC, Beeline and Yandex, financial institutions including Gazprombank and major Russian banks, the Federal Taxation Service, drone control programs, internet providers and cloud storage services, and industrial facilities that support the Russian military‑industrial complex.
Observed tactics involve deploying malware that destroys databases, backups and configuration files, wiping servers and SCADA systems, damaging BIOS and deleting operating systems on infected devices. The actor also employs distributed denial‑of‑service attacks to knock out telecommunications, internet and payment services, as seen in the MegaFon and financial institution incidents. In operations against drone control software, malware has been used to disable friend‑or‑foe identification, block video streaming and prevent remote‑control configuration, forcing manual drone operation. Attacks on internet providers and cloud storage have included the destruction of file storages and the posting of pro‑Ukrainian messages on compromised platforms. The actor’s objectives are to disrupt critical services, cause financial harm and gather intelligence through data exfiltration before destruction, as evidenced by the downloading of hundreds of terabytes prior to data wiping in the Gazprom intrusion.
Representative campaigns cited in open sources include the July 2025 intrusion into Gazprom’s network that erased contract, tariff, payment and well‑network data and removed operating systems from hundreds of servers. Another example is the March 2025 MegaFon DDoS that disrupted mobile and internet services in Moscow, St. Petersburg and central regions, affecting allied platforms such as Yota and NetByNet. The December 2024 operation against Russia’s Federal Taxation Service infected thousands of servers, destroyed configuration files and backups, and paralyzed communications between Moscow and regional offices. Additionally, the July 2024 attacks on Russian financial institutions caused widespread ATM failures, payment system freezes and mobile‑banking outages while compromising bank databases. Earlier in 2024, HUR‑linked hackers targeted Russian drone control programs, disabling identification systems and video streaming, which required operators to revert to manual control.
