The US, UK and seven other governments have accused the Russian military of launching cyber-attacks targeting critical infrastructure for espionage and sabotage purposes.
The joint advisory, published on September 5, highlighted the cyber activities of Unit 29155, which the agencies assess to be affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Unit 29155 is believed to be responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.
This includes deploying the destructive WhisperGate wiper malware against Ukraine government and critical sector organizations in the lead up to Russia’s invasion of Ukraine in February 2022.
Unit 29155 cyber actors have also heavily targeted North Atlantic Treaty Organization (NATO) members in Europe and North America, as well as other nations in Europe, Latin America and Central Asia. They focus on critical infrastructure sectors in target countries, including government services, transport, energy and healthcare.
This is the first time Unit 29155 has been associated with malicious cyber campaigns. The unit’s cyber actors are separate from other known and more established GRU-affiliated cyber groups.
Paul Chichester, Director of Operations at the UK’s National Cyber Security Centre (NCSC), commented: “The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities.
“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so.”
Alongside the UK and US, cybersecurity agencies from the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine are signatories to the advisory.
Unit 29155’s Expansion to Cyber Campaigns
Unit 29155 has been responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe for a number of years, according to the agencies.
Since at least 2020, the unit has expanded its tradecraft to include offensive cyber operations, where it aims to steal data for espionage purposes, cause reputational harm to organizations and governments through the leakage of sensitive information and undertake “systematic sabotage” caused by the destruction of data.
The cyber actors in the unit are believed to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions.
It also uses non-GRU actors, including known cybercriminals, to help conduct operations.
Military Unit’s Cyber Tactics
The advisory found that Unit 29155 cyber actors use a range of tactics to conduct operations. These include website defacements, infrastructure scanning, data exfiltration and data leak operations. The actors frequently sell or publicly release exfiltrated data.
They have been observed using publicly available tools for scanning and vulnerability exploit efforts. These include Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks, and mass and VirusTotal to obtain subdomains for target websites.
The unit uses common red teaming techniques and publicly available tools to conduct cyber operations rather than building its own custom solutions. This means many of its tactics, techniques and procedures (TTPs) overlap with other cyber actors, which can lead to misattribution.
Unit 29155 cyber actors also commonly maintain accounts on dark web forums, providing opportunities to obtain various hacker tools such as malware and malware loaders.
How to Protect Against Unit 29155 Attacks
The agencies set out a range of recommendations to critical infrastructure organizations to protect against the observed tactics of Unit 29155 cyber actors. These include:
- Prioritize patching to CISA’s Known Exploited Vulnerabilities Catalog
- Conduct regular automated vulnerability scans
- Limit exploitable services on internet-facing assets, such as email and remote management protocols
- Utilize free government cybersecurity services, such as US Cybersecurity and Infrastructure Security Agency (CISA) Cyber Hygiene services
- Implement network segmentation
- Verify and ensure that sensitive data, including credentials, are not stored in plaintext and can only be accessed by authenticated and authorized users
- Disable and/or restrict use of command line and PowerShell activity
Six Russian’s Charged with Unit 29155 Attacks on Ukraine
On the same day as the advisory, a US Court charged six Russians for cyber-attacks on Ukraine as part of Unit 29155. Five of the defendants were officers in Unit 29155 of the GRU, with the sixth individual a civilian already under indictment for conspiracy to commit computer intrusion.
The individuals are accused of involvement in the WhisperGate malware attacks on Ukrainian critical infrastructure on the eve of Russia’s invasion, as well as targeting computer systems in countries around the world that were providing support to Ukraine.
The US Department of State’s Rewards for Justice program is offering a reward of up to $10m for information on any of the defendants’ locations or their malicious cyberactivity.
This story was updated on September 6, 2024