A lesser-known cyber actor associated with the Russian military intelligence (GRU) is responsible for attempted coups, sabotage, influence operations, and even assassination attempts in Europe, the FBI warns.
The cyber militants appear to be “junior active-duty GRU officers” who are gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions under the direction of experienced leadership.
The threat actor is labeled Unit 29155 and is also known as Cadet Blizzard, Ember Bear, or Frozenvista. It is affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155). They work separately from other known and more established GRU cyber groups.
These “junior” cyber actors rely on the help of other known non-GRU cybercriminals and enablers to conduct their operations, the joint advisory by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assesses.
Unit 29155 has been active since at least 2020 and is responsible for multiple computer network operations against global targets. Their activities are usually directed at espionage, sabotage, and reputational harm. Their targets are critical infrastructure and key resource sectors, such as government, financial services, transportation, energy, and healthcare.
Some of the unit’s deeds include deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13th, 2022. It has also conducted multiple website defacements, infrastructure scanning, data exfiltration, and data leak operations.
“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries,” the advisory reads.
The gang targeted North Atlantic Treaty Organization (NATO) members in Europe and North America, as well as other countries.
The US Department of Justice named five officers of Unit 29155 and announced an up to $10 million reward for any information leading to their identification or location. The grand jury in Maryland indicted the hackers, all Russian nationals and residents, with conspiracies to commit computer intrusion and wire fraud.
For malicious activity, Unit 29155 used multiple publicly available tools, such as Acunetix and Nmap for port, services, and vulnerability scanning, Amass and VirusTotal to obtain subdomains for target websites, Shodan to identify hosts with specific vulnerabilities or device types, together with Netcat, WPScan and other scanners.
Following the initial reconnaissance, the threat actor exploits discovered known vulnerabilities within victim servers and machines. In one instance, they gained initial access using Dahua IP cameras to bypass identity authentication.
“They obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure,” the FBI said.
“Rather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations.”
Overlapping tactics may lead to misattribution. To anonymize their operations, Unit 29155 actors have used VPNs (virtual private networks), and for hosting operational tools or data exfiltration, they’ve relied on virtual private servers (VPSs).
The WhisperGate malware deployed against Ukraine is capable of corrupting a system’s master boot record, displaying a fake ransomware note, and encrypting files based on certain file extensions. Unit 29155 leveraged Discord to store files and control the malware. While the primary goal of the malware is to disrupt and damage targeted computer systems, WhisperGate can also scan networks, steal passwords, and exfiltrate data.
The US agencies advise network defenders to prioritize system updates and patch known vulnerabilities, especially those listed in CISA’s known exploited vulnerabilities catalog. Limiting internet-facing assets, implementing network segmentation, and regular vulnerability scanning are some of the proposed measures to defend against this adversary.
Your email address will not be published. Required fields are markedmarked