Russian Hackers Behind Global Critical Infrastructure Attacks Linked to GRU Unit 29155

The United States and its allies have officially linked a group of Russian hackers responsible for global cyberattacks on critical infrastructure to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces (GRU). Known as Cadet Blizzard and Ember Bear, the hackers were tied to GRU's 161st Specialist Training Center, with guidance from experienced Unit 29155 leaders, according to a joint advisory released today.

The group, which gained notoriety for deploying WhisperGate malware in Ukraine in January 2022, has been orchestrating widespread cyber operations, sabotage, and assassination attempts across Europe since 2020. More recently, their efforts have shifted toward disrupting aid to Ukraine, targeting critical infrastructure sectors of NATO members and countries in North America, Europe, Latin America, and Central Asia.

"Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020. Unit 29155 cyber actors' objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data," the advisory stated. It also highlighted the group’s reliance on non-GRU actors, including known cybercriminals, to conduct operations.

In addition to website defacements and the leaking of stolen data, the FBI detected over 14,000 instances of domain scanning aimed at 26 NATO members and several EU nations. The scale of these operations demonstrates Unit 29155's growing cyber expertise and technical abilities.

The U.S. State Department, as part of the announcement, also offered a reward of up to $10 million for information leading to the identification of five Russian military intelligence officers linked to Unit 29155: Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. These individuals are charged with involvement in cyberattacks against Ukraine and NATO allies, particularly focusing on energy, government, and aerospace sectors.

The advisory urges critical infrastructure organizations to take immediate action by prioritizing system updates, patching vulnerabilities, and implementing strong security measures, including phishing-resistant multifactor authentication. Such steps are critical to defending against GRU-linked cyberattacks, which have become more aggressive since Russia's invasion of Ukraine.

Additionally, the U.S. announced a crackdown on Russian disinformation campaigns targeting the upcoming 2024 election. Thirty-two web domains tied to a Russian-linked influence operation network pushing propaganda against the American public were seized on Wednesday, marking an effort to combat foreign interference.

This escalation of cyber warfare and information operations highlights the ongoing global risks posed by state-sponsored cyber actors and the need for strengthened international defenses.