Inside a shadowy Russian training centre, fledgling state-sponsored hackers are learning their craft by targeting critical national infrastructure (CNI) in the US, UK and across the world.
That's according to CISA and a group of international partners, including the United Kingdom National Cyber Security Centre (NCSC-UK), who have released new details of a threat actors responsible for " computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020."
The group is called Unit 29155 and is known to deploy the "destructive' WhisperGate malware against its targets.
In a cybersecurity advisory, CISA shared tactics, techniques, and procedures (TTPs) associated with Unit 29155 as well as CVEs for security teams to patch.
"FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.
"FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations."
Unit 29155 cyber actors have conducted "computer network operations" against "numerous members" of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia.
Activity has included website defacements, infrastructure scanning, data exfiltration, and data leak operations. The attackers sell or publicly release exfiltrated victim data and their primary focus appears to be targeting and disrupting efforts to provide aid to Ukraine.
To date, the FBI has observed more than 14,000 domain scanning across incident at least 26 NATO members and several additional European Union (EU) countries.
Unit 29155 is known to launch offensive operations or scanning activity aimed at CNI and key resource sectors, including government, financial services, transportation systems, energy, and healthcare using IP ranges [T1595.001] used within "multiple government and critical infrastructure organisations", CISA warned.
They are known to have exploited CVE-2021-33044 andCVE-2021-33045 impacting Dahua Security; CVE-2022-26134 and CVE-2022-26138 affecting Atlassian Confluence Server and Data Center; and CVE-2022-3236 in Sophos Firewall.
Jamie Moles, Senior Technical Manager at ExtraHop, told The Stack: "The latest allegations about Russia's Unit 29155's cyber activities underscore the increasingly sophisticated and aggressive tactics employed by state-sponsored actors to undermine global stability.
"These attacks not only target critical infrastructure but also seek to disrupt humanitarian efforts and erode public trust. It's imperative that governments and private sector entities strengthen their cybersecurity defences by investing in robust security solutions, including Network Detection and Response (NDR) systems."
You can download IOC here or here.
