Russian Military Hackers Attacking Attacking U.S. and Global Critical Infrastructure

The NSA, FBI, CISA, and allies have assessed the cyber actors associated with the Russian General Staff Main Intelligence Directorate (GRU), Unit 29155, who are responsible for conducting computer network operations against global targets with the intent of espionage, sabotage, and reputational damage.

As early as January 13, 2022, cyber actors from the GRU Unit 29155 started attacking several Ukrainian victim companies with the devastating WhisperGate malware. 

This WhisperGate is a multi-stage wiper designed to resemble ransomware that has been employed against several government, non-profit, and information technology companies in Ukraine from at least January 2022.

TTPs Linked with Unit 29155 Cyber Actors

The objectives of cyber actors associated with Unit 29155 seem to include gathering data for espionage purposes, damaging reputations via the stealing and disclosure of confidential information, and intentional disruption of data.

According to the FBI, the cyber actors are junior GRU officers serving on active duty who are guided by experienced Unit 29155 leadership. By carrying out cyber operations and incursions, these individuals seem to be developing their technical capabilities and acquiring expertise in the field of cybersecurity.

The Russian hackers called by the aliases Cadet Blizzard (formerly known as DEV-0586) by Microsoft and Ember Bear (Bleeding Bear by CrowdStrike) have been officially identified by the US authorities as the ones behind extensive attacks on the vital infrastructure of the United States.

Further, Unit 29155 cyber actors have carried out computer network operations against multiple members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia.

Cyber campaigns, including data exfiltration, infrastructure scanning, website defacements, and data leak operations, are all part of the activity. 

These attackers exploit their vulnerabilities to collect victim data that has been exfiltrated and sold or made public. Since early 2022, cyber attackers have targeted and disrupted relief initiatives in Ukraine. 

“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries”, reads the joint advisory.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

For scanning and vulnerability exploit attempts, the group has used tools including Acunetix, Amass, Droopescan, JoomScan, MASSCAN, Netcat, Nmap, Shodan, VirusTotal, and WPScan.

Cybercriminals have a history of using VPNs to conceal their operations. They often try to take advantage of vulnerabilities in systems accessible over the Internet.

They exploited exploitation scripts to gain access to IP cameras using their default identities and passwords, utilized Shodan to search for Internet of Things (IoT) devices, and extracted files (JPG files). 

The group has used virtual private servers (VPSs) to host their operational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. 

Mitigations

• Prioritize regular system upgrades and fix vulnerabilities that have been known to be exploited.
• Divide networks into segments to stop malicious behavior from spreading.
• For all externally facing account services, including webmail, VPN, and accounts that access vital systems, enable phishing-resistant multifactor authentication (MFA).

“It is important for organizations to use this information and take immediate action to secure data and mitigate any harm caused by these malicious cyber actors”, Dave Luber, NSA’s Cyber Security Director.

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!