Russian Hacker Unit Targets Critical US, Global Infrastructure, Warns Security Agencies

The hackers reportedly work for a military intelligence unit responsible for coups, sabotages, and assassination attempts in Europe.
Russian Hacker Unit Targets Critical US, Global Infrastructure, Warns Security Agencies
An engineering student takes part in a hacking challenge near Paris on March 16, 2013. Thomas Samson/AFP via Getty Images
Naveen Athrappully
Updated:
0:00

A joint cybersecurity advisory issued by multiple U.S. agencies found a clandestine Russian military unit responsible for cyber attacks against global targets.

The advisory was issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) together with foreign partners from nine countries, including the United Kingdom and Canada.

“Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe,” said the Sept. 5 advisory.

“Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.”

Unit 29155 operates under Russia’s General Staff Main Intelligence Directorate (GRU), a military intelligence agency under the country’s armed forces. The unit’s cyber actors target critical infrastructure and key resource sectors like foreign government services, transportation systems, financial services, health care sectors, and energy sectors in NATO countries, the European Union, North America, Latin America, and Asia, the advisory noted.

The group’s activities allude to goals such as collecting information for espionage, destroying data to trigger systematic sabotage of a target’s systems, and causing reputational harm by stealing and leaking sensitive information, the agencies stated.

Unit 29155 has been carrying out cyber attacks against global targets since at least 2020. The unit’s cyber actors were responsible for deploying the “destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022,” the advisory said.

“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries.” Domain scanning helps to identify security issues of a domain.

To counter threats posed by Unit 29155, the advisory urges organizations to prioritize routine system updates and resolve known vulnerabilities that have been exploited. It recommended segmenting networks to prevent the spread of malicious activity.

In addition, it suggested enabling “phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.”

Russian Threats

The advisory was issued after a grand jury in Maryland charged six Russian hackers for conspiring to hack the Ukrainian government, according to a Sept. 5 press release from the U.S. Department of Justice (DOJ). Five of them were officers in Unit 29155 while one was a civilian.

“According to court documents, on Jan. 13, 2022, the defendants conspired to use a U.S.-based company’s services to distribute malware known in the cybersecurity community as ‘WhisperGate,’ which was designed to look like ransomware, to dozens of Ukrainian government entities’ computer systems,” the release stated.

However, “WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine.”

The indictment is part of Operation Toy Soldier, an international effort to counter cyber threats from Unit 29155. The Sept. 5 advisory was issued along with the announcement of charging six Russian hackers.

U.S. intelligence agencies have repeatedly warned about the cyber threats coming from Russia. In 2022, a top FBI official told lawmakers that hackers based in the country were scanning the systems of energy companies and other critical infrastructure in America.

“The threat from Russia in a criminal sense, in the nation-state sense, is very, very real,” said Bryan Vorndran, an assistant director in the FBI’s cyber division.

This July, two Russian hackers who allegedly engaged in cyber attacks against critical infrastructure in the United States were sanctioned by the Treasury Department. The hackers belong to the Cyber Army of Russia Reborn (CARR) group.

One individual commands and controls CARR operations and has acted as the group’s spokesperson. The second one was allegedly behind the compromise of a control system in a U.S. energy company, giving CARR access to the alarms and pumps for tanks in that system.

In June, the U.S. Environmental Protection Agency asked agencies that oversee drinking water systems to address their cybersecurity vulnerabilities. It pointed out that cyberattacks against community water systems are “increasing in frequency and severity” in the United States.

“Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers,” the agency said.

“Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.”

Naveen Athrappully
Naveen Athrappully
Author
Naveen Athrappully is a news reporter covering business and world events at The Epoch Times.