UK and allies uncover Russian military unit carrying out cyber attacks and digital sabotage
Above: The National Cyber Security Centre (NCSC), Nova South, London.
Image by Simona Flamigni / copyright Shutterstock
In a new joint advisory, the National Cyber Security Centre (NCSC) – a part of GCHQ – and agencies in the United States, the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine have revealed the tactics and techniques used by Unit 29155 of the Russian GRU to carry out cyber operations globally.
Unit 29155 is assessed to have targeted organisations to collect information for espionage purposes, caused reputational harm by the theft and leaking of sensitive information, defaced victim websites and undertaken systematic sabotage caused by the destruction of data.
It is the first time the UK has publicly exposed Unit 29155, also designated as 161st Specialist Training Centre, as being responsible for carrying out malicious cyber activity, which it has undertaken since at least 2020.
Since 2022, the group’s overall aim seems to have been to target and disrupt efforts to provide aid to Ukraine. Today, the UK and allies can confirm that it was Unit 29155 specifically that was responsible for deploying the Whispergate malware against multiple victims across Ukraine prior to Russia’s invasion in 2022.
To prevent these malicious activities impacting UK organisations, the NCSC strongly advises network defenders to follow the recommended actions set out in the advisory to bolster their cyber resilience.
Paul Chichester, NCSC Director of Operations, said: “The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities.
“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so.
“The NCSC strongly encourages organisations to follow the mitigation advice and guidance included in the advisory to help defend their networks.”
The advisory says the Unit, which is assessed to be made up of junior active-duty GRU officers, also relies on non-GRU actors, including known cyber criminals and enablers to conduct their operations. The group differs to more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
The NCSC has previously exposed details about malware operations used by cyber actors from Russia’s military intelligence to target the Ukrainian military and also called for organisations to take action following Russia’s attack on Ukraine.
In May 2022, the UK and allies attributed the use of Whispergate malware in Ukraine to Russia’s military intelligence service but this new advisory goes further by attributing its deployment specifically to Unit 29155.
The advisory also includes further analysis of the malware that was deployed to help network defenders identify malicious infrastructure.
The advisory has been co-sealed by the National Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Department of the Treasury, the US Department of State (Rewards for Justice), the US Cyber Command Cyber National Mission Force (CNMF), the Netherlands Defence Intelligence and Security Service (MIVD), the Czech Military Intelligence (VZ), the Czech Republic Security Information Service (BIS), the German Federal Office for the Protection of the Constitution (BfV), the Estonian Internal Security Service (KAPO), the Latvian State Security Service (VDD), the Canadian Security Intelligence Service (CSIS), the Communications Security Establishment Canada (CSE) and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
The advisory can be read on the CISA website.
