Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian GRU Unit Tied to Assassinations Linked to Global Cyber Sabotage and Espionage

A secretive Russian military unit, previously linked to assassinations and destabilization in Europe, is blamed for destructive wiper malware attacks in Ukraine.

Russian Hackers

A secretive Russian military intelligence unit, previously tied to foreign assassinations and destabilizing actions in Europe, has now been linked to cyberespionage and sabotage operations for the first time, according to a joint advisory from the US government and its allies.

The military unit — identified as Russian GRU’s 161st Specialist Training Center (Unit 29155) — is being blamed for a series of aggressive cyber operations around the world, including the destructive WhisperGate malware that wiped the Master Boot Record (MBR) of computers in Ukraine.

In the past, the investigative website Bellingcat found evidence linking Unit 29155 to the attempted assassinations of Bulgarian arms dealer Emilian Gebrev in April 2015 and the former GRU Colonel Sergei Skripal in March 2018.

According to the joint advisory, issued by law enforcement and cybersecurity agencies in multiple countries, Unit 29155 is responsible for cyber operations around the world, including the deployment of destructive malware, sabotage and cyberespionage.

The British government’s NCSC agency said Unit 29155 is made up of junior active-duty GRU officers but also used non-GRU actors, including known cybercriminals and enablers to conduct their operations. The group differs from more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm). 

“Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations from at least 2020,” according to a CISA advisory. “Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”

In tandem, the US Justice Department announced charges against Russian national Amin Timovich Stigal for a conspiracy to hack into and destroy computer systems and data.

“In advance of the full-scale Russian invasion of Ukraine, targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries that were providing support to Ukraine, including the United States,” according to an indictment.

Stigal, who is linked to Russia’s GRU, remains at large. The government also issued wanted bulletins for five other Russians identified as GRU 29155 cyber actors.

Advertisement. Scroll to continue reading.

The US government contends that Unit 29155 has conducted hacking operations  against NATO targets in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes website defacements, infrastructure scanning, data exfiltration, and data leak operations

“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information,” CISA added.

The CISA advisory includes IOCs (indicators of compromise) to help hunt for signs of infections and the agency is urging organizations to prioritize system updates, network segmentation, and the deployment of phishing-resistant multi-factor authentication tools.

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper

Related: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks

Related: US Charges Russian National Behind Wiper Attacks on Ukraine

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights