US and Allies Expose GRU Hackers Behind Election, NotPetya, and OPCW Operations
US prosecutors and allied governments publicly identified Russian military intelligence officers from the GRU for a series of high-profile cyber operations, linking the same apparatus to election interference, destructive malware, and espionage campaigns. A Mueller indictment detailed how GRU operators allegedly hacked Democratic Party networks, stole documents, and staged their release through online personas and infrastructure designed to obscure Russian involvement. Separately, the US Justice Department charged additional GRU officers over attacks tied to Ukraine, including the NotPetya malware outbreak and intrusions associated with power grid disruptions, underscoring the unit’s role in both covert influence operations and disruptive cyberattacks.
European authorities also exposed a failed close-access GRU operation against the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague. Dutch officials said four Russian operatives arrived with Wi‑Fi interception equipment, cash, phones, and receipts that connected them to GRU facilities in Moscow, and later expelled them after reportedly receiving a British intelligence tip. Investigators and media reports tied members of that team to broader targeting of the Skripal investigation, MH17 investigators, and the World Anti-Doping Agency, reinforcing a picture of a global GRU campaign marked by aggressive targeting and, in some cases, operational mistakes that helped attribute the activity.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
U.S. charges Russian hackers over Ukraine attacks and NotPetya
The U.S. Justice Department announced charges against Russian hackers accused of cyberattacks including Ukraine power grid disruptions and the NotPetya malware attack. The case publicly tied named Russian operatives to some of the most damaging GRU-linked cyber operations.
Netherlands publicly exposes failed GRU cyberattack on OPCW
Dutch authorities publicly disclosed the previously disrupted 2018 GRU operation against the OPCW, identifying the four operatives and describing the seized hacking gear and evidence. The disclosure highlighted the GRU's interest in chemical weapons and related international investigations.
Mueller indictment details Russian hacking tied to U.S. election interference
Special counsel Robert Mueller's indictment publicly revealed details about Russian intelligence tradecraft and hacking operations connected to interference in the 2016 U.S. election. The filing added new public attribution and operational detail about the GRU's cyber activities.
Dutch authorities disrupt OPCW hack attempt and expel four Russian operatives
Dutch authorities, reportedly tipped off by British intelligence, surveilled the GRU team targeting the OPCW, seized their equipment and other materials, and expelled them from the Netherlands. The operation was later linked to broader GRU activity involving the Skripal investigation, MH17 investigators, and WADA.
GRU officers conduct close-access hacking operation against OPCW in The Hague
In 2018, four Russian GRU operatives traveled to the Netherlands and allegedly prepared a Wi‑Fi hacking operation from near the OPCW headquarters in The Hague. The team arrived via Schiphol airport, rented a car, and carried hacking equipment, cash, phones, and receipts linked to GRU facilities in Moscow.
Sources
3 references tracked. Mallory keeps watching after this page renders.
US charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack | TechCrunch
techcrunch.com
Open sourceHow Russian spies bungled cyber-attack on weapons watchdog | Russia | The Guardian
theguardian.com
Open sourceWhat Mueller’s Indictment Reveals About Russian and U.S. Spycraft
theintercept.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Russian Cyber Operations Hit Ukraine and Expand to Allied Governments
Ukraine has remained a primary target and proving ground for Russian-linked cyber operations, from the **Petya/NotPetya** outbreak that began via Ukrainian networks and crippled government agencies, banks, transport systems, industrial firms, and Chernobyl monitoring systems, to later destructive malware planted in dozens of Ukrainian government and private-sector networks. Microsoft said the 2022 malware was discovered alongside website defacements affecting Ukrainian entities and appeared designed for later activation, while officials warned such activity could accompany broader military escalation. Earlier attacks on Ukraine’s power grid, election systems, and software supply chain underscored how repeated intrusions against the country have had consequences far beyond its borders. The campaign has also extended well outside Ukraine through espionage and supply-chain compromises attributed by officials and researchers to Russian state actors. Microsoft reported that hackers aligned with Russia targeted organizations in **42 countries** supporting Ukraine, with nearly two-thirds of espionage victims in NATO states and successful intrusions resulting in data theft in at least a quarter of cases. Separately, suspected **S.V.R.** operators were tied to a broad intrusion set affecting at least 40 organizations, including U.S. government agencies, technology firms, and cybersecurity companies, reinforcing warnings that attacks first seen in Ukraine can evolve into wider operations against allied governments and critical sectors.
May 25, 2026
Russian Intelligence Hacked Democratic Targets and Used WikiLeaks to Release Stolen Emails
U.S. officials, cybersecurity investigators, and later federal prosecutors concluded that Russian intelligence penetrated Democratic Party networks and stole politically sensitive material during the 2016 presidential campaign. Early reporting on the Democratic National Committee breach tied the intrusion to the Russian-linked groups **Cozy Bear** and **Fancy Bear**, while the online persona **Guccifer 2.0** surfaced to claim responsibility and distribute stolen files, including opposition research on Donald Trump. As hacked emails from the DNC and Clinton campaign chairman John Podesta were published, U.S. officials said they saw increasing evidence that Russia was using **WikiLeaks** as a channel to disseminate the material, even as Moscow, WikiLeaks, and figures including Julian Assange publicly denied Russian involvement or coordination. The U.S. response escalated from an FBI investigation and intelligence reviews ordered by the Obama administration to formal attribution and criminal charges. Special Counsel Robert Mueller later secured indictments against **12 GRU officers** for the DNC hack-and-leak operation, and court filings and subsequent reporting detailed contacts between Guccifer 2.0 and Trump adviser Roger Stone, though Mueller said he lacked sufficient admissible evidence to charge Stone, Assange, or WikiLeaks in a broader conspiracy. A bipartisan Senate Intelligence Committee report later backed the intelligence community’s assessment that the interference campaign was approved by **Vladimir Putin**, combined cyber-espionage with influence operations, and was intended to damage Hillary Clinton and help Donald Trump.
May 26, 2026
Russian-Linked Cyberattacks Hit Ukraine and Spill Into Wider European Targets
Ukrainian government, military, banking, and energy targets were repeatedly disrupted by cyber operations tied to Russia and the war around Ukraine. Reports describe attacks on a Ukrainian power station, outages affecting the websites of Ukraine’s defense ministry and major banks, and broader disruptive activity against the country’s financial sector. The UK government later said technical analysis by the National Cyber Security Centre assessed that Russia’s **GRU** was almost certainly involved in the February 2022 distributed denial-of-service attacks on Ukrainian banking targets, framing the incidents as part of continued Russian aggression. The campaign also expanded beyond Ukraine through both state-linked and pro-Russian actors. **Killnet**, a Russia-aligned hacktivist group, claimed retaliatory **DDoS** attacks on Lithuanian government and business websites after restrictions affecting transit to Kaliningrad, while other reporting said Russian-backed actors continued destructive operations against Ukraine, including **wiper malware** and attempted power-grid attacks. At the same time, pro-Ukrainian hackers mounted hack-and-leak operations against Russian institutions, underscoring how the conflict evolved into a broader regional cyber confrontation affecting governments, critical infrastructure, and financial services.
May 25, 2026