Bulgarian investigative journalist Hristo Grozev announced that the Bulgarian journalist who worked for the Russian intelligence service GRU is Dilyana Gaytandzhieva.

The information is part of an investigation by Grozev, Roman Dobrokhotov, and Michael Weiss entitled “The Hidden Bear: GRU Hackers in Russia's Most Notorious Assassination Unit.”

Subdivision 29155 of the Russian GRU is best known for its long list of assassinations and sabotage, including the poisonings in Salisbury, England, the explosions at arms depots in the Czech Republic, and the attempted coup in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a wealth of hidden data, The Insider has revealed that the Kremlin's most notorious black ops unit also had a team of hackers—one that attempted to destabilize Ukraine in the months before Russia's full-scale invasion.

To members of Russia's most notorious black ops unit, they look like children. Even their photos on the FBI's wanted poster show a group of spies born around the time Vladimir Putin came to power in Russia. But back then, hacking was a pastime for young people.

In August 2024, the US Department of Justice indicted Vladislav Borovkov, Denis Denisov, Dmitry Goloshubov, Nikolai Korchagin, Amin Stigal, and Yuri Denisov for conducting “large-scale cyber operations to damage computer systems in Ukraine prior to the Russian invasion in 2022,” using malicious software to delete data from systems related to Ukraine's critical infrastructure, emergency services, and even its agricultural industry, and disguised their efforts as plausible denial “ransom” digital extortion. Their campaign is codenamed “WhisperGate.”

The hackers are publishing the personal medical data, criminal records, and vehicle registrations of countless Ukrainians. The hackers are also investigating computer networks “linked to twenty-six NATO member states in search of potential vulnerabilities,” and in October 2022 they gained unauthorized access to computers linked to Poland's transport sector, which is vital for the influx and outflow of millions of Ukrainians—and for the transfer of important Western weapons systems to Kyiv.

More significant than the additional charges against this team of hackers is the organization they worked for: 29155 of Russia's Main Intelligence Directorate, or GRU. Over the past decade and a half, this elite team of operatives has been responsible for the Novichok poisonings of Russian former spy Sergei Skripal and Bulgarian arms manufacturer Emilian Gebrev, the failed coup in Montenegro, and a series of explosions at weapons and ammunition depots in Bulgaria and the Czech Republic.

Unit 29155 is Russia's assassination and sabotage squad. But now, for the first time, they have been implicated as state hackers. What's more, the US government has presented compelling evidence that Unit 29155 was involved in cyberattacks aimed at destabilizing Ukraine before Russian tanks and soldiers crossed the border. If true, this would mean that at least one powerful branch of Russian military intelligence knew about the war that other Russian special services were kept in the dark about. This hypothesis is consistent with previous findings by The Insider, which show that members of 29155 were deployed in Ukraine several days before the full-scale invasion.

For a year, The Insider has been investigating the hackers of Unit 29155. Relying on numerous leaked emails, social media posts, phone call recordings, and, crucially, unprotected server logs, abandoned emails, and unused accounts on VK and Twitter, we are now able to reveal for the first time the origins, goals, and evolution of this obscure group of cyber operators. As with almost everything Subdivision 29155 does, the hackers are dedicated to pursuing Russia's military objectives in the information space linked to two physical battlefields: Ukraine and Syria.

And as with everything Russian intelligence agents do, they waged a hybrid war against the rest of the world, often without caring about the difference between friend and foe. They organized false flag hacking attacks aimed at creating hostility between Ukraine and its Western allies.

They hired an unemployed Bulgarian journalist to spread disinformation based on hacked and leaked data belonging to Russia-friendly governments about Western aid to Kiev and Syrian rebels opposed to Assad. In the years leading up to the COVID-19 pandemic, they actively spread a series of false stories about the alleged activities of US-funded biolaboratories in Georgia, Ukraine, and a number of other countries on Russia's periphery.

Corrupt, adulterous, plagued by internal divisions and stunningly incompetent, often at odds with their masters in the Russian Ministry of Defense, these hackers were emblematic of the dysfunctional unit they served. Alongside their sometimes stunning successes, they also left a trail of embarrassing failures.

"Like other GRU hacking teams, Amin Stigal's team sought and relied on external actors to disseminate illegally obtained information. One of the assistants to Division 29155 is Dilyana Gaytandzhieva, a Bulgarian journalist who was once renowned for her fearless reporting on the doors. Chats reviewed by The Insider show that Stigal apparently first contacted Gaytandzhieva via Twitter, providing her with and encouraging her to publish a set of data on cargo airline traffic and inventory allegedly found at the Azerbaijani embassy in Sofia. The hacked data set allegedly shows that Silk Way Airlines, an Azerbaijani private cargo company, transported shipments of weapons ordered by the US using diplomatic flights," the investigation says. | BGNES