The United States, along with its allies, has formally identified a group of Russian hackers, tracked under names like Cadet Blizzard and Ember Bear, as being responsible for large-scale attacks on the US global critical infrastructure. These hackers are linked to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces (GRU), a military intelligence unit that has long been under scrutiny for its covert operations.
In a joint advisory released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA), it was revealed that the GRU hackers, often junior officers from GRU’s 161st Specialist Training Center, have been involved in cyber sabotage since 2020, with the leadership and oversight of the experienced members of Unit 29155.
These operations have not only targeted critical infrastructure but also carried out sabotage and assassination attempts throughout Europe.
WhisperGate Malware and Cyberattacks
The group gained significant notoriety in January 2022 when they deployed WhisperGate, a data-wiping malware, against Ukrainian organizations. The attacks were part of a broader campaign aimed at destabilizing Ukraine and interfering with the efforts of NATO and allied nations to support the country.
This malware was a signal of the hackers’ capabilities, marking a shift from cyber-espionage to outright data destruction. WhisperGate attacks began on January 13, 2022, focusing on disrupting Ukraine’s defense and critical services. The joint advisory emphasizes that Unit 29155 is distinct from other well-known GRU-affiliated units, such as Units 26165 and 74455, which were responsible for previous cyberattacks in Europe and the U.S.
Since early 2022, this group has pivoted its focus toward disrupting aid efforts for Ukraine, expanding its cyber toolkit to include methods that blend espionage with destruction. The joint advisory stresses that the hackers are honing their technical skills and building their experience by conducting more advance cyber operations across various global regions.
Unit 29155: A Wide Range of Attacks Across Continents
According to U.S. intelligence, Unit 29155 has been responsible for a wide range of cyberattacks that have affected NATO countries, along with others in North America, Europe, Latin America, and Central Asia. Their tactics have included website defacement, public leaks of stolen data, and extensive infrastructure scanning to uncover vulnerabilities.
These attacks have not been limited to Ukraine but have spread across multiple sectors, including energy, government services, and financial institutions. As a result, critical infrastructure across NATO member states has faced increasing risks of being compromised.
The FBI has been tracking the activities of Unit 29155 closely, having detected over 14,000 domain scanning attempts targeting at least 26 NATO members and several European Union (EU) nations. These scans were aimed at identifying weaknesses in critical systems that could be exploited in future attacks.
U.S. Offers Reward for Key GRU Officers
In response to these attacks, the U.S. State Department announced a reward of up to $10 million for information leading to the identification or capture of five Russian military intelligence officers. These individuals are believed to be part of the GRU’s Unit 29155 and include Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin.
These officers are accused of carrying out cyber operations that have harmed critical U.S. infrastructure, with particular emphasis on energy, government, and aerospace sectors. Their cyber activities are linked to the sabotage of Western countries’ efforts to support Ukraine and disrupt various sectors critical to national security.
In addition to the military officers, a civilian named Amin Timovich has also been indicted for his involvement in the WhisperGate attacks against Ukraine. This indictment, along with charges against the five GRU officers, highlights the seriousness of Russia’s cyber operations and the coordinated efforts to bring those responsible to justice.
Protecting Critical Infrastructure: Recommendations
As Unit 29155 continues its cyber operations across the globe, organizations within critical infrastructure sectors are urged to enhance their defenses. Immediate actions recommended by cybersecurity authorities include:
- Patching vulnerabilities in systems to close potential entry points for cyberattacks.
- Implementing phishing-resistant multifactor authentication (MFA) to strengthen account security, particularly for services like webmail and virtual private networks (VPNs).
- Segmenting networks to contain any malicious activity should an intrusion occur.
These defensive strategies are especially important for organizations within sectors frequently targeted by Russian hackers, including energy, transportation, healthcare, and government services.
Global Concerns and Long-Term Implications
Since Russia’s invasion of Ukraine in February 2022, cyberattacks have escalated in both scale and severity. Alongside the WhisperGate malware, other destructive tools like HermeticWiper and ransomware decoys have been used to cripple Ukrainian systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warned early on that such malware could easily spread beyond Ukraine, affecting global systems if defenses were not adequately prepared.
Wednesday’s announcement of the U.S. seizing 32 web domains linked to Russian disinformation campaigns highlights the broader cyber and information warfare being waged by Russia. These domains were part of a network aimed at spreading false information to influence the upcoming 2024 U.S. presidential election.
Tracking Cyber Threats: Industry and Government Coordination
The cybersecurity industry plays a critical role in identifying and mitigating threats posed by groups like Unit 29155. Leading cybersecurity firms and government agencies continuously track the activities of Russian cyber actors, with various naming conventions such as Cadet Blizzard (tracked by Microsoft) and Ember Bear (CrowdStrike).
These cyber groups have demonstrated advanced capabilities in reconnaissance, scanning, and exploiting vulnerabilities in critical systems.
As Unit 29155 continues its cyber operations, the global community remains on high alert. Efforts to strengthen critical infrastructure and improve cyber defenses have never been more critical. While the hunt for the Russian GRU officers involved in these attacks intensifies, the larger challenge remains how to effectively mitigate and defend against the growing cyber threats facing the world today.
