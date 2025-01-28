Three Russian nationals have been sanctioned by the EU for their involvement in a 2020 cyber espionage operation targeting Estonian government agencies.

In a document published on January 27, 2025, the Council of the EU imposed restrictive measures against Nikolay Korchagin, Vitaly Shevchenko and Yuriy Denisov.

As members of the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (aka Unit 29155), the three Russians are accused of being responsible for “cyber-attacks with a significant effect by conducting intelligence activities directed against Estonia and gaining access to a computer system illegally.”

The Council said they breached several Estonian ministries, including Economic Affairs and Communications, Social Affairs and Foreign Affairs, and stole thousands of sensitive documents containing classified information.

"These documents included business secrets, health records, and other critical information compromising the security of the affected institutions. Unit 29155 is also responsible for conducting cyber-attacks against other EU member states and partners, notably Ukraine,” said the Council.



The sanctioned individuals will have all assets in EU countries frozen and been issued with a travel ban from the region. Additionally, any EU-based individuals and entities are banned on making funds available to those listed.

Unit 29155 Behind Skripal Assassination Attempt

Unit 29155 is a Russian military intelligence unit associated with cyber and kinetic operations apparently aimed at destabilizing European countries.

While the unit’s kinetic activities were made public around 2019, some experts believe it has been active since at least 2008.

Unit 29155 was linked to the 2014 ammunition warehouse explosions in Vrbětice, Czech Republic, and to the attempted assassinations of Bulgarian arms dealer Emilian Gebrev in April 2015 and the former GRU Colonel Sergei Skripal in March 2018.

In December 2024, the EU sanctioned 16 members of Unit 29155 for their involvement in assassinations and various destabilization activities, including bombings and cyber-attacks, across Europe.

Unit 29155 Behind WhisperGate

The group’s cyber espionage and sabotage activity has emerged around 2020.

Known as Cadet Blizzard, Ember Bear, Ruinous Ursa and DEV-0586, the group has orchestrated cyber sabotage campaigns targeting European countries, NATO member states and countries in Latin America and Central Asia.

Since 2021, Unit 29155’s cyber activity appears to be focusing on Ukraine.

Notably, Microsoft detected in 2022 that DEV-0586 deployed wiper malware WhisperGate against Ukrainian entities.

The malware is designed to look like ransomware but lacks a ransom recovery mechanism. It is intended to be destructive and is designed to render targeted devices inoperable rather than to obtain a ransom.

A 2024 joint advisory between the US, UK and seven other governments associated WhisperGate with Unit 29155.

The US State Department has offered a reward of up to $10m for information leading to the capture of five alleged members of Unit 29155, including Korchagin and Denisov.