Unit 29155 Attacks Detection: russia-Affiliated Military Intelligence Division Targets Critical Infrastructure Globally
Table of contents:
Notorious russia-affiliated hacking groups are posing daunting challenges to defensive forces, continuously upgrading their adversary TTPs and enhancing detection evasion techniques. Following the full-fledged war outbreak in Ukraine, russia-backed APT collectives are especially active while using the conflict as a testing ground for new malicious approaches. Further, proven methods are leveraged against major targets of interest for the Moscow government worldwide. For instance, in October 2023, russian APT28 hacked the public & private sectors in France, using the same vulnerabilities and TTPs as in Ukraine during 2022-2023.
The most recent joint advisory by CISA, NSA, and FBI once again warns cyber defenders of the increasing threat posed by russia-affiliated actors. Specifically, the military intelligence unit linked to russian General Staff Main Intelligence Directorate (GRU) and tracked as Unit 29155 is responsible for a long-lasting offensive operation against critical infrastructure sectors in the US and worldwide. The operations lasted back from January 2022 when cyber actors deployed destructive WhisperGate malware against multiple organizations in Ukraine. Alongside operations like WhisperGate and other cyber attacks targeting Ukraine, cyber actors have carried out network operations against multiple NATO members across Europe and North America, as well as in various countries throughout Europe, Latin America, and Central Asia.
Detect Unit 29155 Attacks
The growing threat posed by APT collectives demands ultra responsiveness from cyber defenders to detect attacks in real time and take proactive action against potential intrusions. To stay ahead of malicious operations orchestrated by Unit 29155 (also known as Cadet Blizzard, Ember Bear, UAC-0056), security professionals can leverage the SOC Prime Platform for collective cyber defense. The Platform curates a collection of dedicated Sigma rules addressing attacker’s TTPs paired with advanced threat detection & hunting solutions to smooth out threat investigation.
Press the Explore Detections button below and immediately drill down to a tailored detection stack addressing Unit 29155 TTPs described in the AA24-249A advisory. The rules are compatible with 30+ SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework. Additionally, rules are enriched with extensive metadata, including threat intel references, attack timelines, and recommendations.
Cyber defenders seeking more rules to address TTPs linked to Unit 29155 might search Threat Detection Marketplace using custom tags based on the group identifiers: “Cadet Blizzard,” “DEV-0586,” “Ember Bear,” “Frozenvista,” “UNC2589,” “UAC-0056,” “Unit 29155.”
As GRU Unit 29155 tends to exploit a set of known vulnerabilities for reconnaissance and initial access, security practitioners can access dedicated collections of Sigma rules addressing exploitation attempts for CVEs in the limelight using the links below.
Sigma Rules to Detect CVE-2020-1472 Exploitation Attempts
Sigma Rules to Detect CVE-2021-26084 Exploitation Attempts
Sigma Rules to Detect CVE-2021-3156 Exploitation Attempts
Sigma Rules to Detect CVE-2021-4034 Exploitation Attempts
Sigma Rules to Detect CVE-2022-26138 Exploitation Attempts
Sigma Rules to Detect CVE-2022-26134 Exploitation Attempts
Additionally, the group primarily utilizes standard red-teaming techniques and widely available tools such as Raspberry Robin and SaintBot, frequently sharing tactics with other cyber actors. This overlap complicates efforts to accurately attribute their activities. To detect attacks involving tools in the limelight cyber defenders might refer to the rule lists below.
Sigma Rules Detecting Malicious Activity Associated with SaintBot
Sigma Rules Detecting Malicious Activity Associated with Raspberry Robin
To streamline threat investigation, security professionals might use Uncoder AI, the industry-first AI co-pilot for Detection Engineering, to instantly hunt for indicators of compromise provided in the related advisory. Uncoder AI acts as an IOC packager, enabling cyber defenders to effortlessly interpret IOCs and generate tailored hunting queries. These queries can then be seamlessly integrated into their preferred SIEM or EDR systems for immediate execution.
Unit 29155 Attacks Analysis
The AA24-249A advisory issued by the US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) on September 5, 2024 warn cyber defenders of the massive offensive operation orchestrated by the russia-affiliated cyber actors linked to the GRU 161st Specialist Training Center (Unit 29155).
The UK’s NCSC revealed that Unit 29155 consists primarily of junior GRU officers on active duty, but also enlists non-GRU individuals, including known cybercriminals and facilitators, to carry out its operations. This group operates differently from the more prominent GRU-linked cyber units, such as Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
Back in January 2022, GRU cyber actors deployed the WhisperGate destructive wiper in attacks against Ukraine, taking down the online assets of the country’s government. As of January 17, 2022, up to 70 websites experienced temporary performance issues due to the intrusion, including the Cabinet, seven ministries, the Treasury, the National Emergency Service, and the state services. Moreover, multiple non-profit organizations and major Ukrainian IT firms have fallen victim to the attack.
The advisory further notes that Unit 29155 expanded its malicious operations into European countries, Latin America, and Central Asia, frequently targeting NATO members. Their cyber espionage, sabotage, and disinformation campaigns focused primarily on government, finance, transportation, energy, and healthcare sectors in regions of strategic interest to Moscow. Unit 29155’s activities included website defacements, infrastructure scanning, data exfiltration, and information leaks aimed at undermining critical systems and reputations. According to the FBI, over 14,000 instances of domain scanning have been detected across at least 26 NATO members and several additional EU countries.
Unit 29155 cyber actors have been identified targeting IP ranges associated with various government and critical infrastructure organizations. They have employed several publicly available tools such as Acunetix, Nmap, VirusTotal, Shodan, DroopeScan, JoomScan to identify open ports, services, and vulnerabilities in targeted networks, obtain subdomains to proceed with attacks, discover machines of interest, etc.
Unit 29155 cyber actors conduct reconnaissance on victim networks to identify vulnerabilities in web servers and machines. They acquire CVE exploit scripts from GitHub but have been observed using them primarily for reconnaissance rather than exploitation. Notable CVEs they have acquired include CVE-2020-1472, CVE-2021-3156, CVE-2022-26134, and many others.
Moreover, the group employs common red-teaming techniques and widely accessible tools like Raspberry Robin and SaintBot to proceed with their malicious operations. Their use of these techniques often overlaps with those of other cyber actors, making it challenging to attribute their activities with precision.
To minimize the risks of the Unit 29155 attacks, defenders recommend applying patches for CVEs weaponized by the group, segment networks to prevent the spread of malicious activity, and enable MFA authentication for all web-facing assets. SOC Prime’s Attack Detective helps organizations risk-optimize their cybersecurity posture by gaining comprehensive threat visibility and improving detection coverage, getting access to low-noise and high-quality rules for alerting, and enabling automated threat hunting.
