Header image

Global Agencies Call out Unit 29155 for Disruptive Malware Deployment

Russian group has been targeting Ukraine since conflict began in early 2022.

Global intelligence agencies have called out the Russian GRU for having conducted a campaign of malicious cyber activity since at least 2020.

The UK’s National Cybersecurity Centre (NCSC) is among several global agencies naming Unit 29155 for espionage, sabotage and reputational harm purposes.

“Unit 29155 is assessed to have targeted organisations to collect information for espionage purposes, caused reputational harm by the theft and leaking of sensitive information, defaced victim websites and undertaken systematic sabotage caused by the destruction of data,” the NCSC said.

Whispergate Malware

The agencies named Unit 29155 as being responsible for deploying the Whispergate malware, a data wiper,  against multiple victims across Ukraine prior to Russia’s invasion in 2022.

The advisories say the Unit is assessed to be made up of junior active-duty GRU officers, also relies on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.

The advisory from CISA, FBI and NSA said Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.

The Unit expanded its tradecraft to include offensive cyber operations since at least 2020, and its objectives “appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”

Network Operations

As well as the targeted malware on Ukraine - which has been a primary focus since 2022 - Unit 29155 cyber actors have conducted computer network operations against numerous NATO members in Europe and North America, including cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations.

To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.

Upcoming Events

24
Oct
Webinar

Securing Data in the Cloud: Advanced Strategies for Cloud Application Security

Discussing the current trends in cloud security, focusing on the challenges of hybrid environments

In this live webinar, join security specialists from OPSWAT to discuss the current trends in cloud security, focusing on the challenges of hybrid environments, including diminished visibility and weakened threat detection.

image image