The UK’s National Cyber Security Centre (NCSC), along with its counterparts in the Five Eyes intelligence alliance and partners from Czechia, Estonia, Germany, Latvia, and Ukraine, has uncovered the identity of a Russian military cyber unit that has been conducting a prolonged campaign of malicious activities over the past four years.
Known as Unit 29155, part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), this unit has executed numerous computer network intrusions, employing tools such as Whispergate malware in its cyber operations against Ukraine. Whispergate, which bears similarities to NotPetya, was deployed across Ukraine prior to Russia’s unlawful invasion in February 2022. Although it initially appears to function like ransomware, its true intent is to erase master boot records from targeted systems.
While the connection between Whispergate and Moscow’s intelligence services was already established, this marks the first instance of its use being definitively linked to a specific advanced persistent threat (APT) operation. Paul Chichester, NCSC operations director, stated, “The revelation of Unit 29155 as a capable cyber actor underscores the emphasis Russian military intelligence places on leveraging cyberspace to further its unlawful activities in Ukraine and other national objectives. The UK, in collaboration with our partners, remains dedicated to exposing Russian cyber misconduct and will persist in these efforts. We strongly urge organizations to implement the mitigation advice and guidance provided in the advisory to protect their networks.”
Unit 29155, also referred to as the 161st Specialist Training Centre and recognized by private sector threat analysts under aliases like Cadet Blizzard, Ember Bear (Bleeding Bear), Frozenvista, UNC2589, and AUC-0056, comprises junior active-duty GRU personnel, supplemented by third-party contractors, including known cyber criminals. This unit differs from more established GRU-backed APTs like Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
The NCSC noted that the cyber operations by Unit 29155 primarily target organizations for espionage, to deface public websites, damage reputations by stealing and leaking sensitive data, and disrupt everyday operations. The FBI has reported that Unit 29155 has conducted thousands of domain scanning exercises across various NATO and EU member states, focusing on critical national infrastructure, government institutions, financial services, transportation, energy, and healthcare sectors. It is also suspected of participating in physical acts of espionage, including attempted coups and assassination plots.
Operational Tactics
Unit 29155 is known to exploit publicly disclosed vulnerabilities (CVEs) as part of its intrusions, often obtaining exploit scripts from public GitHub repositories. It has targeted flaws in Microsoft Windows Server, Atlassian Confluence Server and Data Center, Red Hat, and security software from China-based Dahua and Sophos.
The unit employs red teaming tactics and leverages publicly available tools rather than custom solutions, which has occasionally led to its cyber attacks being misattributed to other groups with similar methods. Additionally, Unit 29155 maintains a presence in underground cyber criminal circles, utilizing dark web forums to procure malware and exploitation tools.
During its attacks, Unit 29155 typically uses VPN services for anonymizing its operations and exploits vulnerabilities in internet-facing systems using the aforementioned CVEs for initial access. Once inside the target environment, it uses Shodan to identify vulnerable IoT devices, including Dahua IP cameras, and employs exploitation scripts to authenticate using default credentials. Successful exploitation allows the unit to dump configuration settings and credentials in plain text.
After compromising a victim system, Unit 29155 can deploy a Meterpreter payload through a reverse Transmission Control Protocol (TCP) connection to communicate with its command and control (C2) infrastructure. For C2 operations, it is known to utilize various virtual private servers to host tools, conduct reconnaissance, exploit victim infrastructures, and steal data.
Once on an internal network, Unit 29155 has demonstrated the ability to use Domain Name System (DNS) tunneling tools to route IPv4 traffic, configure proxies within the victim’s network, and execute commands via ProxyChains for enhanced anonymity. It also utilizes the GOST open-source tunneling tool (through a SOCKS5 proxy) named java.
In some attacks, it has been observed exfiltrating data from victims to remote servers using the Rclone command-line tool, as well as extracting various Windows processes and artifacts such as Local Security Authority Subsystem Service (LSASS) memory dumps, Security Accounts Manager (SAM) files, and SECURITY and SYSTEM event log files. Furthermore, it compromises mail servers and exfiltrates email messages using PowerShell.
Comprehensive technical information, including updated analysis of Whispergate and mitigation strategies, can be found in the advisory notice issued by the US Cybersecurity and Infrastructure Security Agency. Defenders are encouraged to familiarize themselves with Unit 29155’s activities and adhere to the recommendations outlined in the full advisory.