Feature As Russian special forces push more overtly into online operations, network defenders should be on the hunt for digital intruders looking to carry out cyberattacks that end in physical destruction and harm.
“Unfortunately, if these actors are willing to carry out sabotage in the physical realm, they are likely willing to carry it out through cyber means,” John Hultquist, chief analyst at Mandiant Intelligence, told The Register.
Hultquist’s comments follow news on September 5, 2024, that Unit 29155 of Russia’s GRU military intelligence agency has been targeting Western critical infrastructure facilities, looking for open internet ports and vulnerabilities to exploit.
Days later, it emerged that US officials are concerned that the Kremlin may be plotting to “sabotage” submarine cables and other infrastructure via another secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI).
On Friday, the State Department accused Moscow of embedding a “unit with cyber operational capabilities” within the state-funded news agency RT since 2023.
“There are serious risks from multiple sources, and organizations should prioritize based on their geographic exposure,” Hultquist told us. “Fortunately, we have some insight into these threat actors and defenders should take a hard look at their controls and whether they are ready for the tactics these actors employ.”
To date, Unit 29155 specialists have been scanning web domains across at least 26 NATO members and other European Union countries more than 14,000 times, according to the FBI. In a joint cybersecurity advisory issued earlier this month, the FBI and partner agencies from nine countries detail the targeting of government and critical infrastructure organizations, and suggest mitigations to improve cybersecurity based on the malicious activity.
Western government agencies and private cybersecurity firms have previously linked other espionage and cyber crews to the GRU. This includes Fancy Bear, known for meddling in US elections and phishing in Microsoft email inboxes, and Sandworm, which broke into US and European water plant networks earlier this year.
But Unit 29155 is a whole different beast. This top-secret unit was linked to assassination attempts and attempted coups throughout Europe, and only became publicly known in 2019. Since at least 2020, Unit 29155 has also been involved in offensive cyber operations, according to Uncle Sam.
‘Harbinger of destructive hybrid attacks’
“This is a notable shift as the Russian military previously utilized cybercriminals as mercenaries,” Tom Kellermann, SVP of cyber strategy at Contrast Security, told The Register. “The Russians recognize that the Achilles’ heel of NATO nations is their dependence on cyberspace, and thus they are launching widespread destructive cyberattacks against Western critical infrastructures.”
The recent alerts from the Feds “should serve as a harbinger of destructive hybrid attacks this fall wherein kinetic impact will manifest,” Kellermann added. “Lives will be lost.”
Russia’s move to militarize cyberspace will increase as the realization grows that, kinetically, its military may not win the illegal war in Ukraine, Kellermann believes. This will also increase Putin’s motives for punishing Western governments for aiding his neighboring country.
“They want to punish the West, and specifically punish the critical infrastructures of the West for supporting Ukraine,” Kellermann said. “It’s concerning, because a lot of the zero-days that are created out there were typically created by the military or by intelligence services.”
Who loves zero-days? Military units
In a March report, Google’s Threat Analysis Group (TAG) and Mandiant division said they tracked 97 zero-day vulnerabilities found and exploited by miscreants in 2023. This is considerably more than the year prior, which had 62 such holes. In other words, a 56 percent increase in zero-day exploits, year-over-year.
Kellermann also pointed to a recent prisoner swap in which a former FSB colonel convicted of murder along with multiple Russian cybercriminals were returned to Moscow.
“I’m very concerned that [Russia] is really leaning into this hybrid warfare concept now,” he added. “As they’re reading the tea leaves, they’re realizing that they are going to have to create much more pain for the West for its support for Ukraine in the coming months.”
While the Feds naming and shaming the GRU officers coupled with the FBI’s cybersecurity alert are “incredibly important” – even though it’s unlikely the Russian nationals will end up behind bars – Cisco Talos head of outreach Nick Biasini told The Register that he expects more of the same from Moscow’s cyber forces.
Namely, more snooping on Western government agencies and other high-profile targets, while focusing destructive cyberattacks against Ukraine.
“Overtly destructive things inside of Ukraine is one thing, but doing overtly destructive and malicious things against targets that are outside of Ukraine, especially those that are tied to NATO, I don’t think would be super likely,” Biasini said.
“They definitely could attack undersea cables, or things that are easily deniable,” he added. But outside of hybrid attacks where Moscow could claim plausible deniability, Biasini said he doesn’t expect overt attacks against Western critical infrastructure in the upcoming months.
“WhisperGate and similar destructive attacks take a lot of time to develop, and I think that one of the big takeaways from this is that Russia is occupied with the war in Ukraine.”
But even with Putin’s physical targets being closer to home, Western orgs should take steps to prevent the ongoing espionage attempts from Russia that don’t show any signs of slowing. Biasini’s top two suggestions: Patch IT systems, and use multi-factor authentication (MFA).
“It seems silly to constantly be bringing those up, but these types of things really make a huge difference,” he said. ®