Russian group has been targeting Ukraine since conflict began in early 2022.
Global intelligence agencies have called out the Russian GRU for having conducted a campaign of malicious cyber activity since at least 2020.
The UK’s National Cybersecurity Centre (NCSC) is among several global agencies naming Unit 29155 for espionage, sabotage and reputational harm purposes.
“Unit 29155 is assessed to have targeted organisations to collect information for espionage purposes, caused reputational harm by the theft and leaking of sensitive information, defaced victim websites and undertaken systematic sabotage caused by the destruction of data,” the NCSC said.
Whispergate Malware
The agencies named Unit 29155 as being responsible for deploying the Whispergate malware, a data wiper, against multiple victims across Ukraine prior to Russia’s invasion in 2022.
The advisories say the Unit is assessed to be made up of junior active-duty GRU officers, also relies on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.
The advisory from CISA, FBI and NSA said Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.
The Unit expanded its tradecraft to include offensive cyber operations since at least 2020, and its objectives “appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”
Network Operations
As well as the targeted malware on Ukraine - which has been a primary focus since 2022 - Unit 29155 cyber actors have conducted computer network operations against numerous NATO members in Europe and North America, including cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations.
To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
