The United States and its allies have linked a group of Russian hackers (tracked as Cadet Blizzard and Ember Bear) behind global critical infrastructure attacks to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces (also known as GRU).
In a joint advisory published today, the Russian GRU military intelligence hackers, known for deploying WhisperGate data-wiping malware in Ukraine in January 2022, are described as “junior active-duty GRU officers” part of GRU’s 161st Specialist Training Center and coordinated by experienced Unit 29155 leadership.
The group has been orchestrating sabotage and assassination attempts throughout Europe and cyberattacks against critical infrastructure sectors of NATO members and countries across North America, Europe, Latin America, and Central Asia since 2020, with a switch to disrupting efforts to provide aid to Ukraine since early 2022.
A joint investigation published by The Insider in April, in collaboration with 60 Minutes and Der Spiegel, also linked GRU’s Unit 29155 to Havana Syndrome incidents.
“Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data,” according to today’s joint advisory.
“These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”
The FBI says it detected over 14,000 instances of domain scanning targeting at least 26 NATO members and several European Union (EU) nations. Hackers associated with Russia’s Unit 29155 have defaced websites and used public domains to leak stolen data.
Today, the U.S. State Department also announced a reward of up to $10 million through its Rewards for Justice program for information on Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin, five of the Russian military intelligence officers believed to be part of GRU’s Unit 29155.
”These individuals are members of Unit 29155 of the Russian General Staff Main Intelligence Directorate (GRU), which has conducted malicious cyber activity against U.S. critical infrastructure, particularly in the energy, government, and aerospace sectors,” the State Department said.
“These Unit 29155 GRU officers are responsible for targeting critical infrastructure in the Ukraine and dozens of allied Western countries.”
The five GRU officers and civilian Amin Timovich (indicted in June for the WhisperGate attack) were also charged today for their involvement in cyberattacks targeting Ukraine before Russia’s February 2022 invasion and 26 NATO members.
Critical infrastructure organizations are urged to take immediate action, including prioritizing system updates and patching known vulnerabilities to defend against these GRU-linked cyberattacks.
Additional recommendations include network segmentation to contain malicious activity and implementing phishing-resistant multifactor authentication (MFA) for all external services, particularly webmail, virtual private networks (VPNs), and accounts with access to critical systems.
In February 2022, after attacks against Ukraine using WhisperGate wiper malware, HermeticWiper malware, and ransomware decoys, CISA and the FBI warned that destructive malware cyberattacks could spread to targets in other countries.
On Wednesday, the United States also announced a crackdown on Russian disinformation before the 2024 election, seizing 32 web domains used by the Doppelgänger Russian-linked influence operation network to push disinformation and propaganda targeting the American public ahead of this year’s presidential election.