The revelation by the US Department of Justice naming five Russian computer hackers as members of Unit 29155 has shed light on their involvement in cyberattacks on Ukrainian government organizations and critical infrastructure. The group, also known as the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU), has been accused of targeting NATO member and ally countries in addition to their operations against Ukraine.
The US Cybersecurity and Infrastructure Security Agency, along with cyber experts from nine ally countries, have been monitoring the activities of Unit 29155 since early 2022. Their primary focus has been to disrupt aid efforts to Ukraine through various cyber campaigns such as website defacements, data exfiltration, and leak operations. The stolen data is either sold or publicly released by the hackers, further complicating the security and privacy of the victims.
Unit 29155, also known as Cadet Blizzard or Ember Bear, operates independently from other GRU-related units like Fancy Bear and Sandworm. The group comprises junior active-duty GRU officers under experienced leadership, as well as assistance from known Russian cyber-criminals. The recent indictment by the US Department of Justice also includes a civilian accomplice who allegedly aided in the disruptive activities of the hackers.
In response to these cyber threats, the US Department of State has offered a reward of up to $10 million for information leading to the location of the defendants or their cyber activities. Unit 29155 has not only targeted government agencies but also financial services, transportation systems, energy, and healthcare sectors of various countries around the world.
The group’s tactics involve using publicly available tools for reconnaissance, Active Directory enumeration, vulnerability scanning, and exploiting known CVE vulnerabilities. By utilizing common red teaming techniques and widely available tools, Unit 29155 can conduct cyber operations with a degree of anonymity that complicates attribution. Their presence in dark web forums allows them to obtain various hacker tools, including malware like WhisperGate, which has been used extensively against Ukraine.
Despite their reliance on existing tools and techniques, Unit 29155’s attacks can be mitigated by understanding and testing against MITRE ATT&CK techniques. By bolstering existing security controls and remaining vigilant against potential cyber threats, organizations can reduce the risk posed by these malicious hackers.
Overall, the identification of Unit 29155 and their cyber activities serves as a stark reminder of the ongoing threat posed by state-sponsored cyber actors. Through international cooperation and proactive security measures, the impact of such attacks can be minimized, protecting critical infrastructure and sensitive data from falling into the wrong hands.