In a recent advisory issued on September 5th, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) discuss the cyber activities of Russia’s GRU Unit 29155. This military intelligence unit, which has been active since 2020, is responsible for cyber operations against infrastructure globally, aiming to cause disruptions, steal data, and damage reputations. Their most powerful tools include malware such as WhisperGate, which has played a role in attacks targeting both U.S. and international entities.
Who is GRU Unit 29155?
GRU Unit 29155 operates under the General Staff of Russia’s Main Intelligence Directorate (GRU), focusing on offensive cyber operations. While their first attacks concentrated on Ukraine, particularly during the 2022 conflict, the unit has since included NATO countries and infrastructure targets in Europe, Latin America, North America, and Central Asia. Their goal is often to undermine services that are tied to foreign support for Ukraine or to destabilize regions for global operations. These activities range from espionage and sabotage to more destructive actions aimed at disrupting operations and services in sectors such as energy, healthcare, and telecommunications.
Tactics, Techniques, and Procedures (TTPs)
GRU Unit 29155 is highly organized and methodical in its approach, using tactics and techniques related to the MITRE ATT&CK framework, a recognized cybersecurity model for understanding the behavior of cyber attackers.
Vulnerability Scanning
One of the tactics used by Unit 29155 is active scanning, where they use available tools such as Nmap, Acunetix, and MASSCAN to scan IP ranges and identify vulnerabilities within networks. This allows them to gather information about potential weaknesses in infrastructure, which can later be exploited. They have been observed using tools like Acunetix and Amass to scan and identify vulnerable services and Internet of Things (IoT) devices, including outdated software and hardware that has not been properly secured. Their reconnaissance efforts also include scanning open databases like Shodan.io to identify systems with known vulnerabilities, making it easier to target systems that have not been updated with the latest security patches.
Initial Access and Malware Use
The unit is known for obtaining ready-made malware from dark web forums, including WhisperGate and Raspberry Robin, both of which have been used throughout their operations. WhisperGate has been used in destructive attacks against Ukrainian organizations, wiping systems and affecting them until they become inoperable. The group also exploits vulnerabilities in public-facing applications, taking advantage of known security flaws like those in Atlassian Confluence and Dahua Security products. This allows them to gain access to systems by using default credentials and finding weaknesses in publicly accessible software.
Persistence and Credential Access
Once inside a target network, Unit 29155 gains ongoing access by installing web shells such as b374k or WSO 4.0.5. These tools allow for remote command execution and file manipulation, giving the attackers control over compromised systems. To gain privileges and move within a network, they also use techniques like credential dumping from Windows’ Local Security Authority Subsystem Service (LSASS). They gain further access without direct interaction with users by extracting sensitive data such as usernames, passwords, and hashes.
Command and Control (C2)
To control the compromised systems, Unit 29155 will use encrypted communication channels, such as reverse TCP sessions or multi-hop proxies, to send and receive instructions from their command-and-control servers. This method of controlling victim machines allows them to execute commands and exfiltrate data while remaining undetected by security tools. Tools like ProxyChains and the Metasploit Framework are used to anonymize their operations and maintain a position in compromised networks.
Defending Against GRU Unit 29155
Unit 29155’s strategies are clever, so it is important for organizations to take preemptive steps in their cybersecurity practices. Defenses include keeping systems patched with the latest security updates, for public-facing applications, and conducting vulnerability assessments to identify weaknesses that could be taken advantage of. Security teams should also implement network monitoring practices to detect abnormal activity, such as unexpected IP scans or large data transfers to external serversThe use of tools like endpoint detection and response (EDR) solutions can also help detect the presence of known malware such as WhisperGate and Raspberry Robin before they cause damage.
GRU Unit 29155 is one of the most persistent cyber threats today. Their ability to carry out targeted attacks across multiple regions and industries makes them dangerous. Organizations that monitor these groups’ strategies and adapt their defenses will be better equipped to face the issues brought about by state-backed attacks.” Professionals in cybersecurity should focus on keeping defenses well-maintained and able to respond to the approaches used by Unit 29155. Understanding their behavior through models like MITRE ATT&CK can provide insights for strengthening organizations against future attacks.
Photo credits: vchalup, AdobeStock