The European Union has imposed sanctions on three Russian individuals for their involvement in a 2020 cyber espionage operation targeting Estonian government agencies. According to a document released on January 27, 2025, the Council of the EU took action against Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov. These individuals, identified as members of the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center, are accused of conducting cyber-attacks aimed at Estonia and gaining unauthorized access to sensitive information.
The Council of the EU stated that the trio breached several Estonian ministries, including Economic Affairs and Communications, Social Affairs, and Foreign Affairs, and stole classified documents containing business secrets, health records, and other critical information compromising the security of these institutions. Additionally, Unit 29155, to which the sanctioned individuals belong, has been linked to cyber-attacks against other EU member states and partners, notably Ukraine.
As a result of these sanctions, the assets of the sanctioned individuals in EU countries have been frozen, and they have been prohibited from traveling to the region. Furthermore, individuals and entities based in the EU are forbidden from providing funds to those listed under the sanctions.
Unit 29155, the Russian military intelligence unit to which the sanctioned individuals belong, is known for its involvement in cyber and kinetic operations aimed at destabilizing European countries. While the unit’s kinetic activities became public around 2019, experts believe it has been operational since at least 2008. Unit 29155 has been linked to various incidents, including the 2014 ammunition warehouse explosions in the Czech Republic and the attempted assassinations of individuals like Emilian Gebrev and former GRU Colonel Sergei Skripal.
The group’s cyber espionage and sabotage activities, known by various aliases like Cadet Blizzard, Ember Bear, Ruinous Ursa, and DEV-0586, have been ongoing since around 2020. Unit 29155 has orchestrated cyber sabotage campaigns targeting European countries, NATO member states, as well as countries in Latin America and Central Asia. Recently, their cyber activities seem to be focusing on Ukraine, with instances of deploying destructive malware like WhisperGate against Ukrainian entities.
The US, UK, and other governments jointly issued an advisory in 2024 linking WhisperGate with Unit 29155. The US State Department has even offered a reward of up to $10 million for information leading to the capture of alleged members of Unit 29155, including Korchagin and Denisov. The ongoing actions against these Russian individuals highlight the growing concern over cyber threats and the need for international cooperation to address such challenges effectively.