Tech News
NCSC and allies call out Russia’s Unit 29155 over cyber warfare
The National Cyber Security Centre (NCSC) in the UK, along with intelligence agencies in the Five Eyes alliance and partner countries such as Czechia, Estonia, Germany, Latvia, and Ukraine, have collaborated to identify Unit 29155, a Russian military cyber unit responsible for ongoing malicious activities over the past four years.
Unit 29155, part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), has been involved in multiple computer network intrusions, using tools like the Whispergate malware in cyber warfare operations, particularly against Ukraine.
Whispergate, similar to NotPetya, was deployed in Ukraine before Russia’s illegal invasion in February 2022. While it initially appears to function as ransomware, its true purpose is to delete systems’ master boot records.
The attribution of Whispergate to a specific advanced persistent threat (APT) operation, specifically Unit 29155, highlights the significance Russian military intelligence places on utilizing cyberspace for unlawful activities.
Unit 29155, also known as the 161st Specialist Training Centre or by various names like Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and AUC-0056, consists of junior GRU personnel and third-party contractors, including cyber criminals. It differs from other GRU-backed APTs such as Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
The NCSC stated that Unit 29155 targets victims to gather espionage information, deface websites, steal and leak sensitive data, and disrupt daily operations.
Modus operandi
Unit 29155 often exploits publicly-disclosed vulnerabilities to infiltrate networks, using exploit scripts from GitHub repositories. It has targeted flaws in Microsoft Windows Server, Atlassian Confluence Server, Red Hat, Dahua security products, and Sophos solutions.
The unit relies on red teaming tactics and publicly available tools rather than custom solutions, leading to misattribution of attacks to other groups. It maintains a presence in the underground cyber criminal community, using dark web forums to acquire malware and loaders.
During attacks, Unit 29155 uses VPN services for anonymity, exploits internet-facing system weaknesses, and leverages IoT device vulnerabilities. It deploys Meterpreter payloads for C2 communication and exfiltrates data using various methods, including DNS tunnelling and PowerShell.
Defenders are advised to review the detailed technical information and mitigation guidance provided by the US Cybersecurity and Infrastructure Security Agency in the advisory notice.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend