(Moscow) – A team of Russian military hackers connected to the notorious GRU Unit 29155 has been publicly exposed after investigative journalists gained access to one of their unsecured servers. The shocking discovery revealed the identities, operations, and internal failures of a shadowy cyber division under the command of the Russian dictator’s armed forces.
The investigation, published by The Insider, links Unit 29155 to previous acts of sabotage including the failed Novichok poisoning of former spy Sergei Skripal in Salisbury, the attempted assassination of Bulgarian arms dealer Emilian Gebrev, and explosions at ammunition depots in Bulgaria and the Czech Republic. However, this latest report reveals the unit’s lesser known cyber operations, many of which were marked by amateurism and incompetence.
The journalists discovered the unsecured GRU server had no meaningful protection, exposing detailed records of targets that included Ukrainian state companies, European energy systems, Qatari banks, and medical facilities worldwide. Analysis of travel logs, phone records, and internal files led to the identification of dozens of team members. These included convicted credit card fraudsters, recent university graduates, and ageing saboteurs with little or no technical skill.
The idea to create a cyber unit within military unit 29155 reportedly came from its commander, Andrey Averyanov, around a decade ago. He tasked long-serving operatives Roman Puntus and Yuriy Denisov with forming the team, despite their lack of IT experience. They were joined by Tim Stigal, a new recruit who specialised more in propaganda than actual hacking.
Rather than launching sophisticated attacks, Stigal used social media to run smear campaigns. He created the “Anonymous Poland” Twitter account to publish stolen credit card data and falsely claimed that the leaks were made by investigative group Bellingcat. His team also released personal information of Ukrainian soldiers’ children and attempted to incite tensions by impersonating Ukrainian nationalists online. Despite repeated reports, Twitter failed to remove the account.
Stigal’s team also spread fake stories about US biological laboratories in Georgia with help from pro Kremlin Bulgarian journalist Dilyana Gaytandzhieva. The disinformation aired on Syrian state television, sparking conspiracy theories that later became key parts of Russian propaganda.
The GRU hackers also launched a successful 2016 attack on Qatar National Bank (QNB), stealing 1.5 GB of customer data. To mislead investigators, the team arranged for a Turkish ultranationalist group to take the blame. However, most of their cyber efforts failed due to poor morale and high-level corruption within the unit.
Among the most disturbing revelations was a campaign to discredit Ukrainian President Volodymyr Zelensky. The GRU tried to stir up anger among Ukrainian nationalist groups by recruiting fake operatives to pose as members of the Azov Battalion. A recovered folder named “Graffiti in Cities” contained thousands of anti Zelensky slogans spray painted across Ukraine. One of the key propagandists behind this was again Gaytandzhieva, who later deleted her fabricated reports alleging infighting within Ukraine’s military ranks.
In addition to Ukraine, GRU cyber scouts scanned state infrastructure websites across Eastern Europe and the Caucasus, targeting systems in Poland, Estonia, Armenia, Moldova, Slovakia, the Czech Republic, and Georgia. Many of these attacks focused on medical infrastructure, including hospitals and research institutions.
Despite years of Kremlin investment in digital espionage, the investigation portrays the GRU hacker unit as a deeply dysfunctional and outdated organisation, riddled with propaganda failures and security lapses that ultimately exposed their own agents.
