EU Imposes Sanctions on Russian Nationals Linked to 2020 Cyberattacks on Estonia

• The European Union revealed sanctions on three Russian hackers who are allegedly connected to the 2020 Estonian cyber intrusions.
• Reports say the individuals are suspected to be part of the infamous military Unit 29155 under the General Staff of the Armed Forces of the Russian Federation.
• Among them are two FBI-wanted names, with up to $10 million bounties offered for information regarding their whereabouts.

Three Russian nationals were sanctioned on Monday by the European Union (EU), which accused Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov of perpetrating cyberattacks against Estonia in 2020. 

The individuals are reportedly officers of Unit 29155, a military unit under the General Staff of the Armed Forces of the Russian Federation (GRU), and two of them are also wanted by the FBI. 

Unit 29155, also known as the 161st Specialist Training Center, has been previously implicated in global cyber campaigns, including malware attacks, sabotage, and cyber espionage. 

The EU attributes the 2020 cyber intrusions targeting several Estonian government institutions—including the ministries of Economic Affairs and Communications, Social Affairs, and Foreign Affairs—to these three individuals. 

The attacks reportedly granted unauthorized access to classified information and sensitive data, resulting in the exfiltration of thousands of confidential documents. These documents included secret business information, health records, and critical state data.

Additionally, the EU warned that these activities posed a significant external threat to Estonia and other member states and strategic partners, such as Ukraine. According to the EU, the cyberattacks were strategically designed to exploit sensitive data for security threats. 

The exfiltrated information provided insight into Estonia’s cybersecurity policy, governmental cyber capabilities, and personal data. The Union asserts that the stolen information was intended to undermine Estonia’s security and tactical positioning.

“These individuals were responsible for intelligence activities targeting Estonia. Their actions involved infiltrating computer systems to extract sensitive data that could jeopardize the country’s security,” the EU report stated.

A September 2024 joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) and its international partners tied the group to numerous offensive activities, such as the infamous WhisperGate malware attack targeting Ukraine.

“Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe,” CISA revealed. “The Unit expanded their tradecraft to include offensive cyber operations from at least 2020.”

Agencies from the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K. have attributed Cadet Blizzard's operations to efforts originating from Unit 29155.

Korchagin and Denisov are among the five GRU officers charged by the U.S. for conspiracy in computer intrusions and wire fraud against Ukrainian and NATO-aligned targets.