GRU Unit 29155: A Growing Threat to Global Security
The United States and its allies have issued a joint advisory linking a group of Russian military hackers, known as Cadet Blizzard and Ember Bear, to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces (GRU). This unit, previously known for its involvement in sabotage and assassination attempts, has expanded its operations to include sophisticated cyberattacks targeting critical infrastructure sectors across the globe.
The advisory, published on September 5, 2024, paints a disturbing picture of GRU Unit 29155’s evolving capabilities. The group, described as “junior active-duty GRU officers” part of GRU’s 161st Specialist Training Center, has been orchestrating cyberattacks since at least 2020, targeting NATO members and countries across North America, Europe, Latin America, and Central Asia. Since early 2022, their focus has shifted to disrupting efforts to provide aid to Ukraine.
A History of Malicious Activity: From WhisperGate to Havana Syndrome
GRU Unit 29155 has a history of malicious activity, dating back to the deployment of WhisperGate data-wiping malware in Ukraine in January 2022. A joint investigation published by The Insider in April, in collaboration with 60 Minutes and Der Spiegel, also linked the unit to Havana Syndrome incidents, which involved unexplained health issues experienced by US diplomats and intelligence officers.
The advisory highlights the unit’s growing cyber capabilities: “Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”
Targeting Critical Infrastructure: A Global Threat
The FBI has detected over 14,000 instances of domain scanning targeting at least 26 NATO members and several European Union (EU) nations. Hackers associated with Russia’s Unit 29155 have defaced websites and used public domains to leak stolen data.
The U.S. State Department has announced a reward of up to $10 million for information on five Russian military intelligence officers believed to be part of GRU’s Unit 29155: Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. These officers, along with civilian Amin Timovich (indicted in June for the WhisperGate attack), were also charged for their involvement in cyberattacks targeting Ukraine before Russia’s February 2022 invasion and 26 NATO members.
The Need for Proactive Defense
Critical infrastructure organizations are urged to take immediate action to defend against these GRU-linked cyberattacks. This includes:
- Prioritizing system updates and patching known vulnerabilities: Regularly updating software and patching vulnerabilities is crucial to prevent attackers from exploiting known weaknesses.
- Implementing network segmentation: Segmenting networks can help contain malicious activity, limiting the impact of a successful attack.
- Implementing phishing-resistant multifactor authentication (MFA) for all external services: MFA adds an extra layer of security, making it more difficult for attackers to gain unauthorized access.
The Wider Implications: Disinformation and Election Interference
Beyond attacks on critical infrastructure, the United States has also announced a crackdown on Russian disinformation campaigns targeting the 2024 election. The US government seized 32 web domains used by the Doppelgänger Russian-linked influence operation network to push disinformation and propaganda targeting the American public.
Conclusion: A Persistent Threat Requires Vigilance
The activities of GRU Unit 29155 underscore the persistent threat posed by state-sponsored cyberattacks. Organizations must remain vigilant, implementing robust cybersecurity measures and staying informed about evolving threats. The global community must also work together to counter these threats and protect critical infrastructure from malicious actors.