A secret unit of the Russian military intelligence agency, previously known for its involvement in assassinations and destabilizing operations across Europe, is now linked to cyber espionage and sabotage, according to a joint report published by the U.S. government and its allies. As reported by Securityweek and Wired.
The report focuses on the GRU's Unit 29155, which, according to the findings, is actively conducting aggressive cyberattacks worldwide. This includes the use of malware such as WhisperGate, which has disrupted systems in Ukraine. The unit was previously associated with attempts to assassinate Bulgarian businessman Emilijan Gebrev and former GRU agent Sergei Skripal.
Since 2020, Unit 29155 has been involved in cyber operations including espionage, sabotage, and data leaks. The report reveals that the unit not only employs GRU officers but also recruits cybercriminals for its operations.
In addition to the public statement linking Cadet Blizzard to Unit 29155, the U.S. Cybersecurity and Infrastructure Security Agency has released recommendations detailing the group’s hacking methods and ways to detect and neutralize their attacks. The U.S. Department of Justice has indicted five members of the group in absentia, adding to a sixth member who was previously charged without public acknowledgment of Unit 29155.
"The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion," stated Matthew G. Olsen, Assistant Attorney General of the U.S. Department of Justice.
The U.S. State Department has also posted a $10 million reward on its Rewards for Justice website for information that leads to the identification or location of the group's members, including their photographs.
In addition to its previously known operations against Ukraine, representatives from Western intelligence agencies have informed WIRED that Unit 29155 of the Russian GRU has also targeted a wide range of organizations across North America, Eastern and Central Europe, Central Asia, and Latin America. Their targets include transportation and medical sectors, government institutions, and critical infrastructure, including energy systems. However, officials have declined to provide more specific details.
According to representatives, there is evidence suggesting that Unit 29155 was preparing for more destructive cyberattacks similar to WhisperGate, although there is no confirmation that such attacks have actually occurred.
In June, the U.S. State Department revealed separately that the same GRU hackers responsible for WhisperGate also sought vulnerabilities in critical infrastructure in the U.S., particularly in the energy, government, and aerospace sectors. A recently unsealed indictment by the U.S. Department of Justice against these hackers claims that they conducted 63 attempts to probe a U.S. government agency's network in Maryland—though it is not disclosed whether these attempts were successful—and sought vulnerabilities in networks across at least 26 NATO countries.
In many cases, the apparent goal of Unit 29155's hacking efforts has been military espionage, according to Western intelligence sources. For example, in a Central European country, the group reportedly hacked a railway agency to monitor train deliveries to Ukraine. Within Ukraine, the hackers are said to have accessed surveillance cameras of consumers, possibly to track the movement of Ukrainian troops or weapons. Ukrainian officials had previously warned that Russia used such tactics to target missile strikes, though intelligence sources speaking with WIRED had no evidence that Unit 29155's operations were used specifically for missile targeting.
Sources from Western intelligence agencies told WIRED that Unit 29155 was established in 2020, primarily engaging in espionage rather than more destructive cyberattacks until recent years. However, they suggest that the unit might have been compelled to develop its own specialized hacking team due to internal competition within the GRU and the increasing influence of the group following purported successes, even including the failed attempt on Skripal.
According to Western intelligence officials, the hacking team of Unit 29155 consists of only about 10 members, all relatively young GRU officers. This small group has also, in some cases, collaborated with Russian cybercriminals to expand their resources and utilize widespread cybercriminal malware, making it more challenging to attribute their operations directly to Russia.
Cybersecurity experts are urging organizations to bolster their defenses and update their systems to prevent potential attacks.