Connect with us

Tech News

NCSC and allies call out Russia’s Unit 29155 over cyber warfare

Published

on

NCSC and allies call out Russia's Unit 29155 over cyber warfare

The National Cyber Security Centre (NCSC) in the UK, along with intelligence agencies in the Five Eyes alliance and partner countries such as Czechia, Estonia, Germany, Latvia, and Ukraine, have collaborated to identify Unit 29155, a Russian military cyber unit responsible for ongoing malicious activities over the past four years.

Unit 29155, part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), has been involved in multiple computer network intrusions, using tools like the Whispergate malware in cyber warfare operations, particularly against Ukraine.

Whispergate, similar to NotPetya, was deployed in Ukraine before Russia’s illegal invasion in February 2022. While it initially appears to function as ransomware, its true purpose is to delete systems’ master boot records.

The attribution of Whispergate to a specific advanced persistent threat (APT) operation, specifically Unit 29155, highlights the significance Russian military intelligence places on utilizing cyberspace for unlawful activities.

Unit 29155, also known as the 161st Specialist Training Centre or by various names like Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and AUC-0056, consists of junior GRU personnel and third-party contractors, including cyber criminals. It differs from other GRU-backed APTs such as Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).

The NCSC stated that Unit 29155 targets victims to gather espionage information, deface websites, steal and leak sensitive data, and disrupt daily operations.

Modus operandi

Unit 29155 often exploits publicly-disclosed vulnerabilities to infiltrate networks, using exploit scripts from GitHub repositories. It has targeted flaws in Microsoft Windows Server, Atlassian Confluence Server, Red Hat, Dahua security products, and Sophos solutions.

See also  Elusive whale's Star Trek-like call could be their version of 'Marco Polo'

The unit relies on red teaming tactics and publicly available tools rather than custom solutions, leading to misattribution of attacks to other groups. It maintains a presence in the underground cyber criminal community, using dark web forums to acquire malware and loaders.

During attacks, Unit 29155 uses VPN services for anonymity, exploits internet-facing system weaknesses, and leverages IoT device vulnerabilities. It deploys Meterpreter payloads for C2 communication and exfiltrates data using various methods, including DNS tunnelling and PowerShell.

Defenders are advised to review the detailed technical information and mitigation guidance provided by the US Cybersecurity and Infrastructure Security Agency in the advisory notice.

Trending