The US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem resposible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries.
“Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine,” states a security advisory published by the US Cybersecurity and Infrastructure Security Agency, compiled with the help of cybersecurity and government agencies of nine ally countries.
“The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises.”
The group’s targets
Unit 29155 is separate from GRU-related Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
According to the agencies, Unit 29155 (aka Cadet Blizzard, aka Ember Bear) are “junior active-duty GRU officers under the direction of experienced Unit 29155 leadership”, but they are also aided by known (Russian) cyber-criminals.
Case in point: along with the five GRU hackers, the US DOJ has also indicted a civilian that allegedly aided their disruptive and destructive efforts.
Along with the unsealed indictment, the US Department of State is offering a reward of up to $10 million for information on the defendants’ locations or their malicious cyberactivity.
Aside from targeting government agencies, the group has also focused on attacking financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.
“Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020,” the advisory says. “FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.”
How does Unit 29155 perpetrate attacks?
The group uses a wide variety of publicly available tools for:
- External and internal reconnaissance (Shodan, WPScan, VirusTotal, Netcat, Nmap, MASSCAN, etc.)
- Active Directory (AD) enumeration (Impacket, ldapdomaindump, BloodHound)
- Vulnerability scanning (Acunetix, Amass, Droopescan, eScan, and JoomScan)
They use CVE exploit scripts from GitHub repositories to target vulnerable IoT and networking devices, as well as computers and web servers, and virtual private servers to host their tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data.
“Rather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations. As a result, many TTPs overlap with those of other cyber actors, which can lead to misattribution,” the advisory noted.
“Unit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the opportunity to obtain various hacker tools such as malware and malware loaders like Raspberry Robin and SaintBot. While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine, the use of WhisperGate is not unique to the group.”
The advisory concludes by outlining MITRE ATT&CK techniques to use for testing existing security controls and offering advice for mitigating the danger of Unit 29155 attacks.