The hackers reportedly work for a military intelligence unit responsible for coups, sabotages, and assassination attempts in Europe.
A joint cybersecurity advisory issued by multiple U.S. agencies found a clandestine Russian military unit responsible for cyber attacks against global targets.
The advisory was issued by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) together with foreign partners from nine countries, including the United Kingdom and Canada.
“Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe,” said the Sept. 5 advisory.
“Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.”
Unit 29155 operates under Russia’s General Staff Main Intelligence Directorate (GRU), a military intelligence agency under the country’s armed forces. The unit’s cyber actors target critical infrastructure and key resource sectors like foreign government services, transportation systems, financial services, health care sectors, and energy sectors in NATO countries, the European Union, North America, Latin America, and Asia, the advisory noted.
The group’s activities allude to goals such as collecting information for espionage, destroying data to trigger systematic sabotage of a target’s systems, and causing reputational harm by stealing and leaking sensitive information, the agencies stated.
Unit 29155 has been carrying out cyber attacks against global targets since at least 2020. The unit’s cyber actors were responsible for deploying the “destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022,” the advisory said.
“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries.” Domain scanning helps to identify security issues of a domain.
To counter threats posed by Unit 29155, the advisory urges organizations to prioritize routine system updates and resolve known vulnerabilities that have been exploited. It recommended segmenting networks to prevent the spread of malicious activity.
In addition, it suggested enabling “phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.”