Unit 29155 [1] [2] [3] [4] [5] [6], a unit of the Russian General Staff Main Intelligence Directorate (GRU) [4], has been accused by multiple governments of launching cyber-attacks targeting critical infrastructure for espionage and sabotage purposes since 2020 [2].

Description

This group, also known as Cadet Blizzard [5], Ember Bear [5], and UAC-0056 [5], is responsible for physical sabotage, politically motivated murder [6], and offensive cyber operations [1] [4]. They have conducted the WhisperGate wiper malware attack on Ukrainian organizations and have targeted government agencies, transportation [4] [5] [6], healthcare sectors [3] [4] [5] [6], financial services [3] [4], energy [3] [4] [5], and NATO countries [4] [6]. Unit 29155 has been conducting malicious cyber activities for the past four years [3], primarily targeting victims for espionage purposes [3], defacing websites [3], stealing and leaking sensitive information [3], and sabotaging day-to-day operations [3]. The group consists of junior GRU officers and non-GRU individuals [5], including cybercriminals [5] [6], and has expanded its operations into European countries [5], Latin America [2] [5], and Central Asia [2] [5]. The attackers use common red teaming techniques and publicly available tools [4], making attribution difficult [1]. The US has indicted members of Cadet Blizzard and offered a reward for their identification [6]. This is the first time Unit 29155 has been associated with malicious cyber campaigns [2], separate from other known GRU-affiliated cyber groups [2]. The US Department of State is offering a reward of up to $10 million for information on the defendants’ locations or their malicious cyber activity [4]. The group has been involved in attempted coups [4], sabotage [1] [2] [3] [4] [5] [6], influence operations [1] [4], and assassination attempts throughout Europe [4]. To defend against these threats [1], the NSA and FBI recommend limiting vulnerabilities [1], conducting regular scans [1], and securing internet-facing assets [1]. Paul Chichester of the NCSC emphasized the importance of calling out Russian malicious cyber activity [2], with the UK and its partners committed to doing so [2]. Signatories to the advisory include cybersecurity agencies from the Netherlands [2], Czech Republic [2], Germany [2], Estonia [2], Latvia [2], Canada [2], Australia [2], and Ukraine [2] [5]. The advisory concludes by outlining MITRE ATT&CK techniques for testing existing security controls and offering advice for mitigating the danger of Unit 29155 attacks [4].

Conclusion

The impact of Unit 29155’s malicious cyber activities is significant, with potential threats to critical infrastructure and sensitive information. Mitigating these dangers requires a coordinated effort among international cybersecurity agencies and governments. Future implications include the need for increased vigilance and security measures to protect against cyber threats from state-sponsored actors like Unit 29155.

References

[1] https://www.forbes.com/sites/daveywinder/2024/09/06/new-nsa-report-pins-russian-military-hackers-for-us-attacks-since-2020/
[2] https://www.infosecurity-magazine.com/news/us-allies-russian-military-cyber/
[3] https://www.computerweekly.com/news/366609814/NCSC-and-allies-call-out-Russias-Unit-29155-over-cyber-warfare
[4] https://www.helpnetsecurity.com/2024/09/06/unit-29155/
[5] https://socprime.com/blog/unit-29155-attacks-detection/
[6] https://www.wired.com/story/russia-gru-unit-29155-hacker-team/