Russian Military Cyber Actors ... Note

Russian Military Cyber Actors Target US and Global Critical Infrastructure

The FBI, CISA, and NSA have identified Russian GRU Unit 29155 as responsible for cyber operations targeting global entities since 2020, aiming for espionage, sabotage, and reputational harm. This unit, distinct from other GRU cyber groups, deployed the destructive WhisperGate malware against Ukrainian organizations in January 2022. To mitigate this threat, organizations should prioritize system updates, network segmentation, and multifactor authentication. This advisory outlines the tactics, techniques, and procedures employed by Unit 29155, including their use of publicly available tools and vulnerabilities. The FBI assesses Unit 29155 cyber actors as junior GRU officers gaining experience through cyber operations and relying on non-GRU individuals for support. The cybersecurity industry tracks this group under various names, including Cadet Blizzard, Ember Bear, and Frozenvista. In addition to Ukraine, Unit 29155 has targeted NATO members and other countries in Europe, Latin America, and Central Asia. Their activities include website defacements, infrastructure scanning, data exfiltration, and public data leaks. Since early 2022, their focus has shifted to disrupting aid to Ukraine. The FBI has observed over 14,000 instances of domain scanning across 26 NATO members and several EU countries. Unit 29155 targets critical infrastructure sectors, including government services, finance, transportation, energy, and healthcare. Their reconnaissance techniques include using tools like Acunetix, Amass, MASSCAN, and Shodan to scan for vulnerabilities and collect information. They have been observed obtaining exploit scripts for various CVEs and using them for initial access. The group frequently utilizes common red teaming techniques and publicly available tools, relying on dark web forums to obtain malware and loaders. They have exploited vulnerabilities in Dahua IP cameras to bypass authentication and exfiltrated data. Unit 29155 has employed various methods for lateral movement, including using Shodan to identify IoT devices and exploiting vulnerabilities in IP cameras to gain access and dump configuration settings. The advisory provides a list of Indicators of Compromise (IOCs) to assist in identifying and mitigating potential threats associated with this group.