Nine international cyber crime agencies are urging action following a report into Russian state threats.
The agencies, which include the US National Security Agency and the UK National Cyber Security Agency say Russian military intelligence services are responsible for espionage, sabotage and reputational harm.
They say GRU Unit 29155 (a unit of Russia’s military intelligence service) has expanded its tradecraft to include offensive cyber operations and deployed Whispergate malware against Ukrainian victim organisations.
In a new joint advisory statement, the National Cyber Security Centre (NCSC) – a part of GCHQ – and agencies in the United States, the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine have revealed the tactics and techniques used by Unit 29155 of the Russian GRU to carry out cyber operations globally.
It is the first time the UK has publicly exposed Unit 29155, also designated as 161st Specialist Training Centre, as being responsible for carrying out malicious cyber activity, which it has undertaken since at least 2020.
Since 2022, the group’s overall aim seems to have been to target and disrupt efforts to provide aid to Ukraine. Today, the UK and allies can confirm that it was Unit 29155 specifically that was responsible for deploying the Whispergate malware against multiple victims across Ukraine prior to Russia’s invasion in 2022.
To mitigate this malicious cyber activity, organisations should take the following actions today:
- Prioritize routine system updates and remediate known exploited vulnerabilities.
- Segment networks to prevent the spread of malicious activity.
- Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
Paul Chichester, Director of Operations at the National Cyber Security Centre, said:
“The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities.
“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so.
“The NCSC strongly encourages organisations to follow the mitigation advice and guidance included in the advisory to help defend their networks.”
The advisory says the Unit, which is assessed to be made up of junior active-duty GRU officers, also relies on non-GRU actors, including known cyber criminals and enablers to conduct their operations. The group differs to more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).”