UK and allies reveal methodology of Russian GRU threat actor Unit 29155

Group has targeted organisations including governments and critical infrastructure providers for espionage purposes

The UK National Cyber Security Centre (NCSC) and allied international agencies have pointed the finger at Unit 29155, a unit of Russia's military intelligence service GRU, as being responsible for a campaign of malicious activity targeting government and critical infrastructure organisations around the world.

The NCSC and agencies in the US, the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine, revealed the tactics and techniques used by Unit 29155 to carry out cyber operations in a detailed joint advisory posted on the website of the US Cybersecurity and Infrastructure Security Agency (CISA).

In a post on its website, the NCSC says that Unit 29155 (also known as 161st Specialist Training Centre) has targeted organisations including governments and critical infrastructure providers for espionage purposes since at least 2020. The group has also stolen and leaked sensitive information, defaced websites and undertaken systematic sabotage by destroying data. It does not name the organisations affected.

The group was also responsible for deploying WhisperGate malware, designed to destroy files on victims' systems, against multiple organisations Ukraine prior to Russia's invasion in 2022. Since then, the group has been involved in efforts to disrupt international support for Ukraine, according the NCSC.

Director of operations, Paul Chichester, said: "The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities."

Unit 29155 is thought to be comprised of junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. It works with better-known GRU groups such as Fancy Bear and Sandworm, and also with known cybercriminals and enablers.

The advisory provides a list of recommended actions for organisations to mitigate the threat, including:

Limiting adversarial use of common vulnerabilities, by prioritising patching to CISA's Known Exploited Vulnerabilities Catalogue (KEV), especially for those identified in the advisory. These include vulnerabilities in Sophos Firewall, Atlassian Confluence, Red Hat, Microsoft Windows and Dahua Security software.

Deploying protective controls and architecture, including network segmentation, identity and access management and multi-factor authentication. They should disable and/or restrict use of command line and PowerShell activity, monitor for unauthorised access attempts and anomalies and ensure all encryption protocols are up to date.

Applying security controls, including testing the organisation's security programmes against the MITRE ATT&CK for Enterprise framework, which covers a range of cyberattack scenarios.

Commenting on the announcement, Michael Covington, VP of strategy at Jamf, said that identifying threat actors and publishing details of their methodology is an unusual tactic, but added that it should help organisations defend themselves. "The attack details published as part of this release are important for both those in analyst roles and the defenders responsible for incorporating this threat intelligence into security tooling and policy controls aimed at neutralising these threats in the future."