A joint cybersecurity advisory issued by multiple U.S. agencies found a clandestine Russian military unit responsible for cyber attacks against global targets.
The advisory was issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) together with foreign partners from nine countries, including the United Kingdom and Canada.
“Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.”
Unit 29155 operates under Russia’s General Staff Main Intelligence Directorate (GRU), a military intelligence agency under the country’s armed forces. The unit’s cyber actors target critical infrastructure and key resource sectors like foreign government services, transportation systems, financial services, health care sectors, and energy sectors in NATO countries, the European Union, North America, Latin America, and Asia, the advisory noted.
The group’s activities allude to goals such as collecting information for espionage, destroying data to trigger systematic sabotage of a target’s systems, and causing reputational harm by stealing and leaking sensitive information, the agencies stated.
Unit 29155 has been carrying out cyber attacks against global targets since at least 2020. The unit’s cyber actors were responsible for deploying the “destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022,” the advisory said.
“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries.” Domain scanning helps to identify security issues of a domain.
To counter threats posed by Unit 29155, the advisory urges organizations to prioritize routine system updates and resolve known vulnerabilities that have been exploited. It recommended segmenting networks to prevent the spread of malicious activity.
Russian Threats
The advisory was issued after a grand jury in Maryland charged six Russian hackers for conspiring to hack the Ukrainian government, according to a Sept. 5 press release from the U.S. Department of Justice (DOJ). Five of them were officers in Unit 29155 while one was a civilian.“According to court documents, on Jan. 13, 2022, the defendants conspired to use a U.S.-based company’s services to distribute malware known in the cybersecurity community as ‘WhisperGate,’ which was designed to look like ransomware, to dozens of Ukrainian government entities’ computer systems,” the release stated.
However, “WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine.”
The indictment is part of Operation Toy Soldier, an international effort to counter cyber threats from Unit 29155. The Sept. 5 advisory was issued along with the announcement of charging six Russian hackers.
“The threat from Russia in a criminal sense, in the nation-state sense, is very, very real,” said Bryan Vorndran, an assistant director in the FBI’s cyber division.
One individual commands and controls CARR operations and has acted as the group’s spokesperson. The second one was allegedly behind the compromise of a control system in a U.S. energy company, giving CARR access to the alarms and pumps for tanks in that system.
“Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers,” the agency said.
“Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”