The Federal Bureau of Investigation (FBI), National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and their partners have published a joint cybersecurity warning regarding Russian military hackers targeting critical infrastructure in the U.S. and other NATO nations. These hackers are believed to be linked to the Russian General Staff Main Intelligence Directorate (GRU), specifically the 161st Specialist Training Center, or Unit 29155. Despite this affiliation, the group operates independently from other established GRU hacking units. Cybersecurity firms are tracking this group under various names, including Cadet Blizzard, Frozenvista, Ember Bear, UAC-0056, and UNC2589.
Being active since 2020, this hacking group conducts global cyber operations focused on espionage, sabotage, and reputational damage. Since January 2022, they’ve intensified attacks on Ukrainian organizations, using a destructive malware called WhisperGate. Their cyber campaigns have also extended to NATO countries in North America and Europe, involving infrastructure surveillance, website defacements, and data theft. The stolen information is often sold or exposed online, primarily to inflict reputational damage. The sectors most targeted include financial institutions, government services, healthcare, energy, and transportation.
The group is composed primarily of junior GRU officers, guided by more senior Unit 29155 members, and engages in these cyber operations to gain experience and refine their technical skills. According to the FBI, these Unit 29155 actors sometimes collaborate with non-GRU members, such as cybercriminals and facilitators, to execute their operations.
These threat actors have exploited vulnerabilities, including the Atlassian Confluence vulnerabilities (CVE-2022-26134 and CVE-2022-26138), the Dahua Security vulnerabilities (CVE-2021-33044 and CVE-2021-33045), and the Sophos Firewall vulnerability (CVE-2022-3236). They have been discovered using exploit scripts for other vulnerabilities, such as CVE-2021-26084 (Atlassian Confluence Server and Data Center), CVE-2020-1472 (Microsoft Windows Server), CVE-2022-27666 (Red Hat: Heap buffer overflow vulnerability) and CVE-2021-3156 (Red Hat: Polkit privilege escalation).
Critical infrastructure organizations, including HIPAA-covered entities, are advised to take the following action to bolster their cybersecurity measures:
- Promptly patch to deal with known vulnerabilities
- Ensure software programs are using the updated versions
- Follow the other mitigations outlined in the advisory
The U.S. State Department has offered a $10 million reward through its Rewards for Justice program for information leading to the identification of five suspected GRU Unit 29155 hackers: Vladislav Borovkov, Yuriy Denisov, Denis Igorevich Denisenko, Nikolay Aleksandrovich Korchagin, and Dmitry Yuryevich Goloshubov.
Photo credits: BillionPhotos.com, Adobestock
