GRU Hacker Unit Exposed After Journalists Access Unsecured Server

Journalists have exposed a group of hackers linked to Russia’s military unit 29155 — part of the Main Directorate of the General Staff of the Russian Armed Forces, still widely known by its former abbreviation, GRU.

The unit is known for its involvement in the attempted poisoning of Sergei Skripal with Novichok.

The Insider published the investigation.

According to the report, Unit 29155 has been previously linked to the failed poisonings of Skripal in Salisbury and Bulgarian arms dealer Emilian Gebrev, as well as to explosions at ammunition depots in Bulgaria and the Czech Republic. Until recently, little was known about its involvement in cyber operations.

The Insider gained access to one of the group’s servers, which had virtually no security protections. This access revealed a broad list of targets, ranging from Ukrainian state-owned companies and European infrastructure to a Qatari bank and medical facilities worldwide.

Through analysis of phone records, travel data, and internal correspondence, journalists identified dozens of hacking team members. These included convicted credit card fraudsters, recent university graduates, and GRU sabotage veterans with no background in IT.

According to The Insider, most of the unit’s hacking and information operations failed due to low morale and corruption within the leadership.

Group activities

The idea to create a hacker unit within military unit 29155 reportedly emerged around a decade ago. Those tasked with the project by commander Andrey Averyanov included his longtime subordinates Roman Puntus and Yuriy Denisov — both of whom had participated in GRU operations across Europe but lacked technical expertise — as well as Tim Stigal, a newcomer to the unit.

Despite the group’s cyber focus, most of Stigal’s operations were provocations rather than conventional hacking. For example, he created the “Anonymous Poland” Twitter account and used it to leak stolen credit card data, falsely claiming it was published by the investigative group Bellingcat.

Stigall’s team also published names and photographs of children of Ukrainian soldiers serving on the front lines in Donbas, again attributing the leaks to Bellingcat. Although Bellingcat repeatedly reported the account to Twitter, the platform ruled it did not violate its policies.

Some of the provocations achieved limited success. In one case, Stigal impersonated the Ukrainian nationalist group Right Sector and posted hacked personal data of Polish officials along with offensive messages. Some officials reportedly believed the posts were genuine.

One of the unit’s few notable cyberattacks was against QNB, Qatar’s largest bank. In May 2016, hackers exfiltrated 1.5 GB of data, including customer banking information. To deflect blame, a Turkish ultranationalist group called @bozkurthackers claimed responsibility.

Stigal also recruited Bulgarian journalist Dilyana Gaytandzhieva to help spread disinformation. In 2018, she traveled to Georgia to report on alleged U.S.-run biolabs operating from the American embassy in Tbilisi. The story aired on a Syrian government-affiliated satellite TV channel and marked the beginning of a broader propaganda campaign about “American biolabs,” which later became a staple of Russian disinformation.

One of the unit’s core goals was to incite Ukrainian nationalists against President Volodymyr Zelensky. Stigal allegedly recruited dozens of low-level operatives to pose as members of the Azov Battalion and stage provocations. Among the files recovered from the GRU server was a folder titled “Graffiti in Cities,” containing thousands of photos of anti-Zelensky slogans.

Gaytandzhieva was reportedly involved in this effort as well. In 2022, she published — and later deleted — an article claiming a conflict between Azov and Ukraine’s military intelligence agency (DIU), portraying the Azov unit as being financed by allies of Chechen leader Ramzan Kadyrov.

In late 2021, hackers attacked Ukrainian government websites, including those tied to the country’s energy infrastructure.
The group also scanned government and infrastructure websites in Uzbekistan, Georgia, the Czech Republic, Slovakia, Estonia, Poland, Moldova, and Armenia for vulnerabilities. Notably, nearly one-third of their known targets were in the Czech Republic.

Many of the targeted entities were in the medical field, including medical equipment manufacturers, a clinic in Azerbaijan, and the Tashkent Medical Academy.