National Cyber and Information Security Agency

NÚKIB and Czech intelligence services, together with the NSA and FBI, warn of a Russian cyber campaign targeting entities supporting Ukraine

The National Cyber and Information Security Agency (NÚKIB), together with the Security Information Service and Military Intelligence of the Czech Republic, has joined partners from the United States, the United Kingdom, Germany, Poland, Australia, Canada, Denmark, Estonia, France, and Netherlands in issuing the advisory about a long-term cyber campaign conducted by Russia-backed actors. These attacks are primarily targeting logistics and technology companies involved in foreign aid to Ukraine.

The campaign is being conducted by a unit of Russian military intelligence known as GRU No. 26165 (also referred to as Fancy Bear and Forrest Blizzard, among other names). This group has been carrying out espionage operations for over two years against entities in the defence and transportation sectors, including air, maritime, and rail transport. They also target government institutions and commercial companies in NATO member states, Ukraine, and neighbouring countries.

The attackers use well-known tactics such as password spraying, targeted phishing emails, changes to mailbox settings in Microsoft Exchange environments, and exploitation of software vulnerabilities, including Outlook (NTLM) and WinRAR. These methods allow them to gain access to systems, where they then install malware to maintain persistence and steal data.

Unit 26165 also actively monitored the transport of aid to Ukraine by accessing IP cameras located at border crossings, railway hubs, and other strategic points. As part of the observed campaign, they primarily targeted IP cameras using the RTSP protocol, employing publicly known default login credentials or brute-force techniques to gain access. The collected data included static images and metadata from the cameras.

An analysis of more than 10,000 targeted cameras revealed that the majority (81%) were located in Ukraine. Others were found in Romania, Poland, Hungary, and Slovakia.

GRU actors also focused on individuals responsible for coordinating transportation and companies cooperating with the targeted organizations. They exploited trusted business relationships to further infiltrate target networks. They also identified entities involved in the production of components for industrial control systems (ICS), which are used, for example, in railway transport.

The report warns that these activities are likely to continue. Technology and logistics companies, as well as organizations in the transportation sector, should therefore strengthen monitoring, actively hunt for signs of compromise (threat hunting), and implement appropriate protective measures against these sophisticated threats. Indicators of compromise, along with the attackers’ tactics and techniques, can be found in the full version of the document here.

Director of the NÚKIB Lukáš Kintr discussed continued cooperation on cybersecurity with President Trump's administration in the U.S.

Lukáš Kintr, Director of the National Cyber and Information Security Agency (NÚKIB), and Roman Pačka, Director of the Cabinet, recently completed a working visit to the United States, where they held talks on cybersecurity cooperation with representatives of the new American administration.

The NÚKIB delegation held a series of meetings with representatives of U.S. security institutions, including the White House National Security Council and the House Select Committee on Strategic Competition between the U.S. and China. The delegation then travelled to San Francisco, where, starting Monday, April 28, they participated in the world’s leading cybersecurity event, the RSA Conference, and spoke at the International Cyber Security Forum alongside top U.S. administration officials and other international partners.

During the meetings in Washington, the U.S. side praised the Czech Republic’s long-standing and proactive approach to cybersecurity. The discussions also reaffirmed the importance of ongoing cooperation, which has been developing since President Trump’s first administration and has led, among other things, to the adoption of the so-called Prague Proposals on the security of 5G infrastructure.

‘Meetings with our American counterparts confirmed the exceptional nature of our relations and the mutual interest in continuing the intensive cooperation that NÚKIB has been successfully building with the U.S. for several years. I believe that our mutual collaboration in the field of cybersecurity — including timely information sharing and joint responses to cyberattacks — will remain one of the key pillars of Czech-American relations in the years to come,’ said NÚKIB Director Lukáš Kintr.

Key topics of discussion included, in particular, threats posed by state-sponsored actors targeting critical infrastructure — including the Volt Typhoon and Salt Typhoon campaigns — the use of trusted and secure technologies, and the impact of rapidly evolving artificial intelligence on cybersecurity. The discussions also covered issues related to the cyber protection of energy infrastructure and the cybersecurity of connected vehicles. In all cases, these are crucial topics that resonate on both sides of the Atlantic.

‘We continue to share a common understanding with the United States regarding cyber threats and the need to counter malicious activities not only from China and Russia. The U.S. remains a key strategic partner for us, and we aim to further deepen our cooperation in the future — particularly in areas such as post-quantum cryptography and security and cooperation in the Indo-Pacific region,’ said Cabinet Director Roman Pačka.

The discussions also addressed the strengthening of cyber capabilities and preparedness for major cyber incidents. In this regard, the Czech Republic plays a very active role within the North Atlantic Alliance (NATO). Since 2020, NÚKIB has had a Cyber Attaché stationed directly at NATO headquarters in Brussels, and in early April, NÚKIB organized a cyber exercise focused on the so-called Virtual Cyber Incident Support Capability (VCISC), which also included participation from U.S. representatives. In addition, the Czech Republic will host the fourth NATO Cyber Champions Summit in 2026.

‘The NÚKIB delegation was one of the first high-level European delegations focused on cybersecurity to be received by the new U.S. administration in Washington this year. The several days of meetings brought, among other things, a series of new and concrete impulses for the further development of our cooperation, which we will jointly pursue in the coming months,’ said Berta Jarošová, NÚKIB Cyber Attachée at the Embassy in Washington, who coordinated the visit program in the U.S.

National Cyber and Information Security Agency Organized Exercise for NATO Allies

From April 7 to 11, 2025, the National Cyber and Information Security Agency of the Czech Republic (NÚKIB) organized an exercise focused on Virtual Cyber Incident Support Capability (VCISC). It aimed at exercising the readiness of the Allies to provide mutual support through the VCISC mechanism in case of serious cyber incidents.

VCISC is a mechanism that enables NATO Allies facing significant malicious cyber activity to request remote assistance from other Allies. This mechanism was approved at the Vilnius Summit in 2023 and has since been available to the Alliance. VCISC is also a key tool in strengthening NATO’s collective defense in cyberspace.

The exercise aimed to enhance the Alliance’s preparedness to provide mutual support in cyberspace. Experts from Slovenia and the Netherlands, in addition to the Czech Republic, contributed to the scenario design, and 20 nations joined in total. The exercise simulated a situation in which several NATO Allies tackled significant incidents in its critical national infrastructure and requested assistance through the VCISC.

The exercise provided an opportunity for Allies to verify their national processes for the VCISC mechanism and the overall capability of NATO to cooperate in the event of multiple large-scale incidents. It demonstrated the will and readiness of the Allies to face significant malicious cyber activity and provide support to each other in a time of need.

The Sixth Edition of the International Prague Cyber Security Conference 2025 took place in the Czech capital

On March 18–19, 2025, the sixth edition of the international Prague Cyber Security Conference (PCSC) took place in Prague. The event was organized by the National Cyber and Information Security Agency (NÚKIB) in cooperation with the Ministry of Foreign Affairs of the Czech Republic. The conference bore the subtitle "Invisible Frontlines". Participants, including experts, government officials, and representatives of the private sector, gathered at the Czech National Bank’s Congress Center from 46 countries worldwide.

This year’s subtitle refers to the idea that "cyberspace is not only an environment for everyday life but also the first battleground where conflicts arise between state and non-state actors. Cyber conflicts often begin invisibly, but their impacts become more than real – ranging from disruptions of critical infrastructure to economic coercion by authoritarian states and attempts to destabilize our democratic society," explained NÚKIB Director Lukáš Kintr. The importance of cooperation and resilience in cyberspace was also emphasized by Minister of Foreign Affairs Jan Lipavský in his closing remarks: "Cyberattacks happen long before tanks roll and missiles strike. That’s why improving resilience is crucial. It’s not just a technical issue – it’s a matter of national security, economic stability, and the survival of democracy."

Experts discussed evolving strategies on the invisible frontlines of cybersecurity warfare – through cooperation between governments, law enforcement, and private entities. Discussions also covered responses to cyberattacks from China, Russia, and Iran, as well as hidden cyber tactics and so-called shadow operations carried out by China in Western countries.

During a meeting between representatives of Ukraine and its allies, key cybersecurity lessons learned from the ongoing conflict in Ukraine were shared. Ukraine has strengthened its cyber resilience in response to constant threats, and participants discussed how non-directly involved states, affected by the cyber consequences of the conflict, are adapting their security strategies.

The conference also focused on the energy sector, as energy infrastructure is increasingly targeted by state-sponsored cybercriminal groups. Panel discussions addressed specific policies and regulations related to energy security, including the new EU Network Code for Cybersecurity in the Electricity Sector, the G7 Framework for Cybersecurity of Operational Technologies in Energy Systems, and the U.S. Department of Energy’s supply chain cybersecurity principles. Cyber threats also extend to the telecommunications sector, endangering global communication networks. On these "invisible frontlines", cybersecurity professionals face the challenge of securing complex infrastructure against increasingly sophisticated and persistent attacks. Participants explored strategies for risk identification and mitigation, supply chain security, and strengthening cyber resilience in telecommunications systems. Other topics included the role of artificial intelligence in cybersecurity and defence, satellite systems and the growing reliance on satellite networks for military, financial, and civil operations, and connected vehicles, which significantly impact everyday life.

Parallel to the main conference program, bilateral meetings between NÚKIB representatives and international partners took place. Strengthening international cooperation was one of the key goals of the event. "Cybersecurity is a global challenge that demands global solutions. The active participation of Indo-Pacific partners at the Prague Cyber Security Conference underscores the essential role of regional cooperation in shaping resilient and forward-thinking cybersecurity policies. It was an honour to have Lt. Gen. Michelle McGuinness open the conference. A testament to the strength of our partnership and the mutual commitment to cybersecurity. This collaboration is not one-sided; it was reaffirmed a year and a half ago when we established the position of Cyber Attaché for the region, recognizing the strategic importance of sustained engagement," concluded Veronika Kolek Netolická, the Czech Republic’s Cyber Attaché for the Indo-Pacific.

For the second time in its history, the conference was open to the private sector, recognizing the growing importance of public-private cooperation in cybersecurity. Key partners of this year’s edition included Amazon Web Services (AWS), MSD, APPSEC, CISCO, Mastercard, ICZ, Whalebone, and CETIN. The Prague Cyber Security Conference 2025 once again provided a vital platform for strategic discussions and deepening cooperation between states and the private sector.

The conference was first held under the name Prague 5G Security Conference in 2019.