The 161st Specialized Training Center: A Front for Administrative Purposes
Unit 29155 is officially designated as the 161st Specialized Training Center of the GRU, Russia’s military intelligence agency. According to Western investigations published since 2024, it employs approximately 400 people, including about 60 in a subunit dedicated to sabotage and about 10 in a smaller but particularly active cyber division. It is reportedly under the command of General Andrei Averianov, a prominent figure in Russian military intelligence who has already been linked to several controversial overseas operations.
This unit was not created for the war in Ukraine. It existed long before that, with a documented history of sabotage and assassination operations in Europe: it is notably linked to the attempted poisoning of former spy Sergei Skripal in the United Kingdom in 2018, an attempted coup in Montenegro in 2016, and explosions at ammunition depots in the Czech Republic and Bulgaria.
A Shift from Physical Sabotage to Digital Hacking
This shift toward cyberwarfare accelerated around the time of the 2022 invasion. According to joint investigations by several Western intelligence agencies, this unit was directly involved in deploying the WhisperGate malware against more than seventy Ukrainian government systems on January 13, 2022—just a few weeks before the full-scale invasion.
This chronological detail matters greatly: the cyberattack preceded the tanks. Digital sabotage was not a reaction to the war; it was a calculated prelude, designed to disrupt the Ukrainian state even before the first shot was fired.
What strikes me most about this timeline is the premeditation. WhisperGate was not a random test. It was a destabilization operation launched weeks before the invasion—proof that the Kremlin was planning its hybrid war long before it publicly acknowledged it.
The President's Office, a Direct Target of Spear-Phishing Campaigns
Ministries Targeted by Phishing Emails
Western investigations indicate that Unit 29155 has carried out spear-phishing campaigns—targeted and personalized fraudulent emails—against the Ukrainian presidential office and several ministries. The goal of this type of attack is not the immediate destruction of data, but rather silent infiltration: gaining prolonged access to the internal communications of a government at war.
Brigadier General Volodymyr Karastelov has publicly confirmed that government agencies are among the priority targets of these Russian campaigns, alongside financial institutions and critical infrastructure. This official confirmation transforms what might have seemed like an expert hypothesis into a fact established by the Ukrainian authorities themselves.
The Ukrainian Security Service Claims to Have Thwarted Thousands of Attacks
Since the start of the war, the Security Service of Ukraine (SBU) claims to have thwarted more than 16,000 Russian cyberattacks targeting Ukrainian systems. While the technical details of this figure are difficult to verify independently, it nonetheless illustrates the intensity of this invisible war unfolding alongside the physical front lines.
This volume of attacks reveals a simple reality: Russia’s cyberwar against Ukraine is not a sporadic phenomenon. It is a continuous, daily pressure that mobilizes considerable human and technical resources on both the Russian and Ukrainian sides to defend against it.
Sixteen thousand attacks thwarted—it’s a staggering number. This means that every day of this war involves, on average, several attempts to hack into the Ukrainian government’s systems. These can no longer be considered isolated incidents.
Ukrainian media: prime targets in the digital war
A Denial-of-Service Attack of Rare Intensity
According to Euromaidan Press, a Ukrainian television website recently suffered a distributed denial-of-service attack reaching 200,000 requests per minute, sustained for about three hours by a network of compromised machines spread across Asia, Europe, and the United States. This type of attack aims to overwhelm a server with fraudulent traffic until it becomes inaccessible to the public.
This is not an isolated incident. As early as 2025, another Ukrainian media group had suffered a two-stage attack: first, a phishing campaign to gain initial access, followed by an attempt to penetrate deeper into the technical infrastructure—an attempt thwarted by Ukrainian security services before it could cause irreversible damage.
Why the Media Is a Strategic Target
Striking at the Ukrainian media during a war has a clear objective: to cut off or disrupt the public’s access to reliable information, precisely when that information is most vital. A country that can no longer broadcast its alerts, updates, or fact-checks becomes more vulnerable to the disinformation circulating in parallel on social media.
This logic explains why Ukraine’s National Council on Television and Radio Broadcasting, in collaboration with the authorities, launched a cyber resilience program covering twenty regional locations across twenty-one oblasts, with approximately 450 participants trained in 2026 on best practices in cybersecurity for newsrooms.
Targeting the press in times of war has never been a technical coincidence. It is a strategy as old as propaganda itself, simply updated with modern botnets. Protecting Ukrainian newsrooms means protecting the truth itself.
A criminal history already documented by Western courts
Five GRU Officers Indicted in the United States
In 2024, the U.S. Department of Justice indicted five GRU officers and one civilian for their alleged role in operations attributed to Unit 29155, offering rewards of up to $10 million for any information leading to their arrest. This legal action, rare for this type of foreign military unit, illustrates the seriousness with which Washington now views these activities.
That same year, the UK’s National Cyber Security Center issued a joint advisory with several Western allies confirming that this Russian military unit was conducting cyberattack and digital sabotage campaigns that extended far beyond the Ukrainian theater, with targets identified in Europe and North America.
Coordinated but Still Incomplete Sanctions
In 2025, New Zealand imposed sanctions on several alleged members of this unit, while the European Union imposed sanctions on three GRU officers for cyberattacks targeting Estonia. These measures, while very real, remain scattered across multiple jurisdictions rather than coordinated within a single, systematic framework.
This fragmentation of Western responses raises a fundamental question: as long as sanctions remain scattered across different countries, Unit 29155 will continue to operate with limited personal legal risk for its members, who are protected by Russian territory, where they remain beyond the reach of Western arrest warrants.
Indictments in the United States, New Zealand sanctions, targeted European measures: all of these are useful, but scattered. Without closer international coordination, these GRU officers will continue to operate with impunity from behind their borders.
The Broader Context of Russia's Hybrid War
A war that is never confined to the battlefield
Russia’s war against Ukraine is not limited to the front lines in the Donbas. It includes an ongoing digital component, an energy component, an information component, and now a maritime component, with the controversial use of its oil tanker fleet for surveillance operations in Europe. Unit 29155 is part of this multi-domain hybrid warfare approach that has characterized the Kremlin’s strategy for several years.
This multidimensional approach significantly complicates the task facing Ukraine’s Western allies, who must simultaneously defend physical, digital, and informational infrastructure against an adversary capable of striking on multiple fronts at once, often without making any official claims.
Why This Directly Concerns the West
Unit 29155’s targets are not limited to Ukraine. Western investigations have documented similar operations in Europe and North America, meaning that this unit poses a transnational threat, not merely a bilateral Russian-Ukrainian issue.
It is this transnational dimension that, according to several Western analysts, justifies a coordinated response between Ukraine and its allies, rather than an isolated defense limited to Ukrainian territory.
I have been repeating this for months in my writings: what is striking Kyiv today is testing the defenses that Moscow will deploy elsewhere tomorrow. Treating this unit as a strictly Ukrainian problem would be a strategic mistake on the part of the West.
Ukraine's Response: A Balance Between Training and Technical Vigilance
An Unprecedented Training Initiative for the Media
The cyber resilience program launched by Ukraine’s National Council on Television and Radio Broadcasting reflects a growing institutional awareness: cybersecurity is no longer just a matter for intelligence agencies; it must become a core competency for newsrooms themselves. Twenty regional locations, twenty-one oblasts covered, and approximately 450 participants trained by 2026: these figures demonstrate a commitment to making cyberdefense practices accessible beyond specialized circles.
This decentralized approach addresses a simple reality: a poorly protected regional newsroom can become the weak link through which a broader attack infiltrates the national media ecosystem.
The Structural Limitations of This Defense
Despite these efforts, the Ukrainian authorities themselves acknowledge that the threat is evolving faster than some defenses. Brigadier General Karastelov did not claim that the threat was under complete control; rather, he confirmed its persistence and its precise targeting of the Ukrainian state’s most sensitive sectors.
This institutional honesty deserves to be highlighted: publicly acknowledging the scale of a threat, rather than downplaying it, is a necessary condition for mobilizing the resources and alliances required for an effective defense over the long term.
I respect this Ukrainian transparency. Acknowledging that one is being targeted, rather than hiding it out of national pride, is a rare institutional maturity in times of war, and it is exactly what Ukraine needs to rally its allies.
What the Premeditation Behind WhisperGate Reveals
An operation planned even before the invasion
We need to revisit the timeline of WhisperGate, the malware deployed on January 13, 2022, against more than seventy Ukrainian government systems—roughly six weeks before the full-scale invasion on February 24. This timing is not trivial: it demonstrates that the digital preparations for this war preceded its conventional military dimension.
Western analysts who studied this malware noted that it was designed to resemble a classic ransomware attack, while in reality being a tool of pure destruction, with no actual intention of restoring data in exchange for payment. This deliberate obfuscation was intended to obscure attribution and slow down the Ukrainian response in the critical days leading up to the invasion.
A Strategic Lesson for the Rest of the Conflict
This digital premeditation, documented in 2022, must remain at the forefront of our minds today, as the same actors continue their campaigns against the Ukrainian presidential office and media. The pattern repeats itself: preparing the digital landscape before, during, and potentially ahead of any new military escalation.
Understanding this logic allows Western allies to anticipate—rather than merely react to—the next waves of Russian cyberattacks against Ukraine or against themselves.
To me, WhisperGate remains the most chilling evidence of Russian premeditation. You don’t accidentally disguise a destructive tool as ransomware. It was calculated, tested, and ready for use weeks before the first tanks rolled in.
The Financial Impact of Russian Cyberattacks
Financial institutions: a target alongside government ministries
Brigadier General Karastelov clarified that Ukrainian financial institutions are also among the priority targets of these Russian campaigns, alongside government agencies and the media. A successful attack on the banking system of a country at war could have far-reaching consequences beyond a mere disruption of service: it would directly affect the state’s ability to fund its defense efforts and maintain public confidence in its institutions.
This financial dimension of Russia’s hybrid warfare remains less well documented publicly than attacks on the media or the government, in part because financial institutions generally communicate more cautiously about security incidents they experience, for fear of eroding depositors’ confidence.
An Underestimated Systemic Risk
This relative silence does not mean there is no risk. On the contrary, several Western cybersecurity experts believe that critical financial infrastructure remains among the most dangerous targets in the event of a successful major attack, precisely because its effects spread rapidly throughout the entire economy of a country at war.
This is a front that Ukraine and its allies must continue to monitor with just as much vigilance as more visible targets such as the media or the presidential office.
What the silence of Ukrainian banks regarding these attacks does not reveal sometimes worries me more than what public reports do reveal. The financial sector is a blind spot in this digital war that deserves more public attention.
The Ambiguous Role of General Andrei Averianov
A commander already mentioned in several Western reports
General Andrei Averianov’s name appears repeatedly in Western investigations into Unit 29155. According to several European intelligence agencies, he is said to have overseen a series of foreign operations ranging from physical sabotage in Central Europe to more recent cyberattack campaigns against Ukraine. His tenure at the helm of this unit for several years illustrates a continuity of command that is rare for this type of covert unit.
This continuity is significant. It means that the methods, networks, and operational contacts developed during previous operations in the Czech Republic, Bulgaria, or the United Kingdom could be directly repurposed for the digital campaign waged against Kyiv since 2022.
A chain of command that protects its officers
Despite U.S. indictments and European sanctions, no Western source has confirmed any direct personal sanctions against General Averianov himself to date, underscoring the practical limitations of international judicial mechanisms when dealing with officers protected by their own state.
For many Western analysts, this relative impunity constitutes one of the most serious obstacles to effective deterrence against this type of specialized military unit.
As long as a general like Averianov can oversee these operations without ever fearing direct personal consequences, Western deterrence will remain largely theoretical. Sanctioning junior officers is not enough if the top of the chain of command remains untouchable.
Why This Unit Embodies the Russian View of Ukrainian Sovereignty
A systemic disregard for democratic institutions
Dedicating an entire military unit—with an identified command structure and a documented history of operations in Europe—to hacking the office of a democratically elected president amounts to effectively denying the very legitimacy of that election and of that nation’s sovereignty. It is no coincidence that Volodymyr Zelenskyy’s office is explicitly listed among the confirmed targets of these campaigns.
This logic is part of a broader narrative from the Kremlin, which for years has publicly contested the legitimacy of the Ukrainian state as a political entity distinct from Russia. Cyberattacks thus become an extension of this ideological challenge through technical means.
A Disturbing Precedent for Other Democracies
What is happening to the Ukrainian presidential office today could foreshadow what other Western democracies might face tomorrow, should hostile actors decide to employ similar methods against their own elected institutions.
It is precisely for this reason that cooperation between Ukrainian agencies and their Western counterparts—already documented by the joint cybersecurity advisories published since 2024—must continue to deepen rather than wane.
Hacking the presidential office, challenging Ukraine’s legitimacy, and showing contempt for the popular vote—all of this tells the same story. Moscow does not view Kyiv as a sovereign partner, but as a recalcitrant province to be brought back under control by any means necessary, including digital ones.
The Limits of What We Can Say Today
What the Sources Confirm and What They Do Not Confirm
It is important to distinguish between what has been publicly confirmed—the existence of Unit 29155, its role in WhisperGate, the 2024 U.S. indictments, and Brigadier General Karastelov’s statements regarding priority targets—and what remains, at this stage, undisclosed to the public: the exact content of the most recent spear-phishing emails, or the precise extent of any potential penetration of the targeted systems in 2026.
This caution does not weaken the overall assessment. On the contrary, it makes it stronger: what we know for certain is already sufficient to establish the reality of a structured and persistent Russian campaign against Ukrainian institutions.
Vigilance must remain evidence-based, never speculative
When dealing with this type of case, there is a strong temptation to extrapolate beyond the confirmed facts. This article has chosen to stick to official statements and verifiable investigations, rather than adding unverifiable details that would undermine the credibility of the overall assessment.
It is this rigor that ultimately allows us to clearly pinpoint Russian responsibility without ever crossing the line into unfounded speculation.
I prefer a more modest but fully verifiable assessment to a sensational but flimsy accusation. In this case, as in all others, credibility is earned through rigor, never through exaggeration.
What This Means for the Coming Months
A threat that will not go away on its own
Nothing in Unit 29155’s track record suggests that it will scale back its activities against Ukraine as long as the war continues. On the contrary, the persistence of its methods since 2022—despite Western indictments and sanctions—shows that these legal and diplomatic measures have not yet reached a level sufficient to effectively deter this type of operation.
The coming months are likely to see these types of campaigns continue, if not intensify, particularly around politically sensitive moments for Ukraine, when the disruption of government or media communications would offer the Kremlin an additional tactical advantage.
What the West Should Learn from This
The most important lesson from this case is not limited to Ukraine. It concerns all Western democracies facing state actors willing to deploy entire military units to undermine elected democratic institutions, using methods that largely fall outside the traditional legal categories of warfare.
Strengthening international coordination on this issue—beyond the current scattered sanctions—seems to be the only response commensurate with the persistence this unit has demonstrated for several years now.
I do not believe in quick fixes for this issue. But I do believe that every coordinated sanction, every indictment, and every joint cybersecurity advisory makes the task a little more difficult for these GRU officers. The West’s patience must simply last longer than theirs.
What Washington and Brussels Could Still Do
Concrete options still on the table
Several Western analysts are calling for harmonized sanctions specifically targeting identified members of Unit 29155, rather than the current patchwork of U.S., European, and New Zealand measures applied separately. A common list, shared among Washington, Brussels, and their G7 partners, would strengthen the symbolic and practical impact of these sanctions.
Strengthening the sharing of technical intelligence between Ukrainian and Western agencies—a process already underway since 2024 through joint cybersecurity advisories—could also accelerate the early detection of new campaigns before they reach their final targets.
The Political Cost of Inaction
Doing nothing more also comes at a cost: every month without a coordinated response reinforces the perception within the Kremlin that these operations can continue without significant consequences for those behind them. This is a signal the West can no longer afford to send, as the war enters its fifth year.
This observation applies as much to cyberwarfare as to other dimensions of the conflict: historically, the West’s slow response has always benefited Moscow.
I’ll say it plainly: inaction comes at a price, and that price is paid in Ukraine’s trust in its allies. Every month of delay in mounting a coordinated response is another month handed to the GRU on a silver platter.
Conclusion: Simply identifying the threat is not enough; it must be contained.
An issue that goes beyond Ukraine alone
GRU Unit 29155 is not merely a technical curiosity reserved for cybersecurity experts. It is the instrument of a deliberate strategy aimed at weakening a sovereign state through digital means—before, during, and likely after any developments in the conflict on the ground. Its confirmed targeting of the Ukrainian presidential office, ministries, financial institutions, and media outlets paints a coherent picture: that of a hybrid war that knows no truce, even when the guns fall silent temporarily.
U.S. indictments, European and New Zealand sanctions, and Ukrainian efforts to build cyber resilience constitute real responses, but they remain insufficiently coordinated in the face of this persistent threat.
What to Watch for in the Coming Months
The true measure of the West’s seriousness on this issue will be seen in the ability—or inability—of Ukraine’s allies to harmonize their sanctions and cyber defense mechanisms against an adversary that has continued to operate with remarkable strategic continuity throughout more than four years of open warfare.
It is this Russian continuity—more than any one-off statement—that should guide the West’s vigilance in the coming months.
I conclude this commentary with a simple conviction: as long as the office of an elected president can be targeted without serious consequences for the perpetrators, the digital sovereignty of all democracies will remain fragile—not just that of Ukraine.
Signed, Maxime Marquette, columnist
Sources
Primary Sources
Ministry of Defense of Ukraine — Security Context and Cyberdefense, July 2026
Euromaidan Press — Ukrainian Media, the Number One Target of Russian Cyberattacks, July 1, 2026
Army Inform — Ukrainian defense and cybersecurity news, July 2026
Secondary sources
Foreign Policy — Analysis of Russia’s Hybrid Warfare
The Guardian International — coverage of Russian cyberattacks against Ukraine
Axios — Geopolitical Context of the Russian-Ukrainian Cyberwar
This content was created with the help of AI.