U.S. Cyber Command Disabled Russian GRU Servers in Preemptive Operation on Dec. 24, Operators Say

The Dec. 24 Operation

U.S. Cyber Command operators launched a defensive cyber operation inside Russian network infrastructure on Dec. 24 to disable servers used by GRU Unit 74455 to stage phishing campaigns against U.S. energy utilities, according to two operators at U.S. Cyber Command familiar with the operation. The mission, internally designated "Turbine," began at approximately 11:30 p.m. Eastern Time and lasted five hours, the operators said. It targeted a cluster of virtual servers hosted in Saint Petersburg that had been observed communicating with compromised routers inside American power sector networks since early November.

The operation was authorized under a classified execute order issued by the Secretary of Defense on Dec. 22, known internally as OPORD 25-084, the operators said. A former NSA targeting officer who was briefed on the results said the servers were linked to the same GRU unit that U.S. and British officials have blamed for attacks on Ukraine's power grid and for the 2024 intrusions at two unclassified water treatment systems in Texas and Pennsylvania. The former officer said operators did not permanently destroy hardware but instead loaded firmware that caused the machines to wipe their own configurations and reboot into an inoperable state.

The Target and the Threat

The Saint Petersburg cluster served as a command and control node for a custom phishing toolkit that operators tracked under the identifier "FLAMING SWORD," the former NSA targeting officer said. Since August, NSA analysts had mapped roughly 150 outbound connections from the cluster to U.S. internet service providers, with activity intensifying between Nov. 15 and Dec. 20. The operators said the campaign targeted at least fourteen electric and gas utilities, though none of the attempted intrusions succeeded in reaching industrial control systems.

The Federal Bureau of Investigation issued a classified alert to energy sector partners on Dec. 19 warning that GRU Unit 74455 was preparing a new wave of credential harvesting against utilities in the Midwest and Southeast, according to a congressional staffer on the Armed Services Committee who was briefed on the alert. The staffer said the alert did not identify the Saint Petersburg cluster by name, but operators concluded that disabling the node would disrupt the unit's ability to update its malware and exfiltrate data.

Targeting Infrastructure, Not People

The mission marks one of the first publicly known instances of U.S. Cyber Command conducting a preemptive disruption operation against Russian military intelligence infrastructure located inside Russia during peacetime, the former NSA targeting officer said. The operators emphasized that the action focused on servers and routers, not personal devices or civilian networks unrelated to GRU activity. The objective was to make the staging ground unusable for the next six to eight weeks, one operator said, while the second operator added that the team was not targeting individuals.

The operation employed a tool developed by Cyber Command's Cyber National Mission Force that had previously been used only in exercises and during a 2023 operation against an Iranian Revolutionary Guard Corps node, according to the second operator. The former officer said the firmware overwrite erased routing tables and deleted virtual machine snapshots, forcing Russian technicians to rebuild the environment from bare metal. Analysts detected no immediate effort to migrate operations to a secondary cluster on Dec. 25, though a backup location near Moscow had been identified in October.

Planning Inside Fort Meade

Planning for the operation began after Cyber Command received a National Security Agency assessment on Nov. 28 that identified the Saint Petersburg cluster as the primary control point for the utility phishing campaign, the former NSA targeting officer said. Operators at Fort Meade rehearsed the mission twice in a classified cyber range between Dec. 10 and Dec. 17, the two operators said. A liaison officer from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency attended the final rehearsal, according to one of the operators.

The OPORD 25-084 execute order required operators to avoid Russian military networks and civilian internet exchange points in Saint Petersburg, the operators said. The former officer said the rules of engagement were drafted specifically for this mission and were narrower than those used during previous operations in the Middle East. Legal review at the Pentagon was completed on Dec. 20, the operators said.

Reorganization and Aftermath

The operation comes as Cyber Command prepares to split its Cyber National Mission Force into three separate task forces on Jan. 6, a reorganization first outlined in a planning order circulated on Dec. 16, the operators said. A congressional staffer on the Armed Services Committee said the staff had been briefed on the reorganization on Dec. 19 and that lawmakers expect a formal notification to Congress during the week of Jan. 5. The staffer said the change is intended to give Cyber Command more flexibility to conduct hunt forward missions in Europe and the Middle East.

On Dec. 26, the National Security Council had not issued a public statement about the operation, and the White House press office did not respond to questions. A Pentagon spokesperson declined to confirm or deny specific cyber operations. The former NSA targeting officer said the Russian networks remained dark as of midmorning on Dec. 26 and that analysts were watching for attempts to rebuild the cluster at the backup location near Moscow. Sources said Cyber Command leadership is scheduled to brief the Senate Armed Services Committee on Jan. 8.