UK and Allies Unveil Russian Military Unit Conducting Cyber Attacks and Digital Sabotage
The British government and its international allies have for the first time uncovered a Russian military unit responsible for cyber attacks and digital sabotage. This revelation highlights the growing threat of state-sponsored cybercrime and the need for enhanced security measures.
Key Findings
- The UK and nine international allies have identified Russian military actors conducting computer network operations for espionage, sabotage, and disinformation.
- The GRU unit 29155 has expanded its methods to carry out offensive cyber operations and deploy Whispergate malware against Ukrainian victim organisations.
- UK organisations are encouraged to follow the advice to defend against online threats.
Joint Advisory from the UK and Allies
In a new joint advisory, the National Cyber Security Centre (NCSC) – part of GCHQ – and agencies in the USA, the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Canada, Australia, and Ukraine have disclosed the tactics and techniques of the Russian GRU unit 29155 for conducting global cyber operations.
The unit 29155 is suspected of targeting organisations to gather information for espionage purposes, causing reputational damage through the theft and leaking of sensitive information, defacing victim websites, and conducting systematic sabotage through data destruction.
First Public Disclosure of Unit 29155
This is the first time that the United Kingdom has publicly revealed unit 29155, also referred to as the 161st Special Training Centre, as responsible for malicious cyber activities that it has been conducting since at least 2020.
Since 2022, the group’s main objective appears to be to disrupt efforts to support Ukraine. Today, the United Kingdom and its allies can confirm that it was specifically unit 29155 that deployed the Whispergate malware against multiple victims in Ukraine prior to the Russian invasion in 2022.
Recommendations for Countering Cyber Threats
To prevent these malicious activities from affecting British organisations, the NCSC strongly advises network defenders to follow the recommended measures in the advisory to strengthen their cyber resilience.
Paul Chichester, Director of Operations at the NCSC, said:
"The revelation of unit 29155 as a capable cyber actor underscores the importance that the Russian military intelligence places on cyberspace to pursue its illegal war in Ukraine and other state priorities.
The United Kingdom, along with our partners, is determined to expose Russian malicious cyber activities and will continue to do so.
The NCSC urgently encourages organisations to follow the mitigation recommendations and guidelines contained in the advisory to defend their networks."
Collaboration with International Partners
The advisory states that the unit, consisting of young active GRU officers, also relies on non-GRU actors, including known cybercriminals and supporters, to carry out its operations. The group differs from the more established GRU-related cyber groups unit 26165 (Fancy Bear) and unit 74455 (Sandworm).
The NCSC has previously revealed details about malware operations used by cyber actors of the Russian military intelligence to target the Ukrainian military, and has also urged organisations to take action following Russia’s attack on Ukraine.
In May 2022, the United Kingdom and its allies attributed the use of Whispergate malware in Ukraine to the Russian military intelligence, but this new advisory goes further by specifically attributing its use to unit 29155.
The advisory also includes further analysis of the malware used to help network defenders identify malicious infrastructures.
Sources
- UK and allies uncover Russian military unit carrying out… – NCSC.GOV.UK, National Cyber Security Centre.