Several U.S. government agencies issued a new advisory Thursday warning of global cyber operations by threat actors that they affiliated with Unit 29155 of the Russian Main Intelligence Directorate (GRU).
The threat group is categorized under several titles, including UNC2589, Cadet Blizzard, Ember Bear and Frozenvista. In the new advisory, the FBI, CISA and NSA said that the group is linked to the infamous WhisperGate malware campaign that targeted several Ukrainian organizations starting in January 2022. The threat actors have also conducted operations against numerous North Atlantic Treaty Organization (NATO) members in Europe and North America, as well as countries across Europe, Latin America and Central Asia.
“FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020,” according to the Thursday advisory. “Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”
Unit 29155 has been linked to several overseas operations by Bellingcat’s investigation team, including involvement in the annexation of Crimea in 2014, a failed coup in Montenegro in 2016 and an assassination attempt on former Russian spy Sergei Skripal in the UK in 2018. The threat actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455, according to the U.S. government advisory.
The FBI said that it believes Unit 29155 cyber actors to be junior, active-duty GRU officers, which “appear to be gaining cyber experience and enhancing their technical skills” through conducting cyber operations and intrusions. The actors also appear to sometimes rely on non-GRU cybercriminals to conduct their operations, said the FBI.
Both the U.S. government, and the security research community, have been tracking cyber activity related to this threat group for some time. In 2022, for instance, CISA outlined the destructive activity associated with the WhisperGate campaign and the U.S. Cyber Command disclosed indicators of compromise linked to the group’s operations.
In addition to espionage and destructive campaigns, the group has defaced victim websites and used public domains to post exfiltrated victim data, and on Thursday, the FBI revealed it has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several EU countries to date.
The advisory is part of an international effort, called Operation Toy Soldier, to combat the malicious cyber activity by Unit 29155 of the GRU. As part of this effort, the Department of Justice on Thursday also unsealed an indictment against five Russian GRU officers and one civilian, alleging that the hackers conspired to hack, exfiltrate and leak data from the Ukrainian government before the Russian invasion of Ukraine. The individuals indicted are Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin and Amin Sitgal. The State Department is concurrently offering rewards of up to $10 million for information related to any of these individuals.
In the U.S. government advisory, CISA, the FBI and the NSA stressed that organizations can take a number of measures to protect against the several campaigns linked to the threat group, including prioritizing system updates and patch management, segmenting networks and enabling measures like multi-factor authentication (MFA).