Special Forces Unit 29155 — Assassination attempts, terrorist attacks, espionage, Havanna Syndrome & wiper attacks on critical infrastructure
Probably the most dangerous military cyber actor in the world
What is the future war? Special Forces Units in Cyberspace
2 days ago, various agencies issued a joint advisory “Russian Military Cyber Actors Target US and Global Critical Infrastructure” to warn of the worldwide attacks on critical infrastructure by the Russian GRU units. FBI, CISA and NSA assessed that affiliates with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
We know, that they’ve started before 2020 operating in the cyberspace. In the article of the New York Times “Top Secret Russian Unit Seeks to Destabilize Europe, Security Officials Say” back in October 2019, we can read that
the purpose of Unit 29155, which has not been previously reported, underscores the degree to which the Russian president, Vladimir V. Putin, is actively fighting the West with his brand of so-called hybrid warfare — a blend of propaganda, hacking attacks and disinformation — as well as open military confrontation. Hidden behind concrete walls at the headquarters of the 161st Special Purpose Specialist Training Center in eastern Moscow, the unit sits within the command hierarchy of the Russian military intelligence agency, widely known as the G.R.U.
Though much about G.R.U. operations remains a mystery, Western intelligence agencies have begun to get a clearer picture of its underlying architecture. In the months before the 2016 presidential election, American officials say two G.R.U. cyber units, known as 26165 and 74455, hacked into the servers of the Democratic National Committee and the Clinton campaign, and then published embarrassing internal communications.
In this article, I will briefly summarize the history of the Unit 29155, first looking at its operations outside cyberspace and then going into concrete attacks in cyberspace. Using other threat intelligence sources, I also look at the hacktivists who could possibly be connected to Unit 29155, such as NoName57(16), operating together with the Cyber Russian Army_Reborn (CARR), spread Russian propaganda narratives on their CARR Telegram account and attack critical infrastructure. CARR are very likely engaged in APT44 operation, also known as UNC3810.
I translated their — I called it Zhirinovsky manifesto — from Russian into English from a website that the Cyber Russian Army_Reborn is sharing and display their “conspiracy timeline agenda” in a time graph. The narratives reflect the proximity to Putin and the goals of the Kremlin. It is therefore very likely that parts of this terrorist/hacktivist group operates for the GRU, even if this is not officially communicated.
I will also compare the TTPs of Unit 29155 with the Akira ransomware group for two main reasons: on the one hand, the GRU uses the Chang Way Ltd. server ecosystem in Russia and in Hong Kong like Akira, on the other hand tools like Masscan is used by both. It may well be that the Russian intelligence knowingly does not intervene in all the ransomware group attacks for Russia’s interests and possibly also bring monetary benefits. There are indications of this with the Cyber Volk ransomware group, which is very close to the Cyber Russian Army Reborn where affiliates are joking on twitter, that they earn less since the Kremlins starting to ransom for monetary reason, too.
When we talk about wiper — Mandiants Six Phases of APT44 and Caddywiper Cyber Army of Russia Reborn (UNC3810)
Disruptive operations rarely make headlines by themselves because their effects are not visible to the public, unless victim organizations choose to publicize the attack. To overcome this dilemma, the GRU has used a series of Telegram channels assuming hacktivist identities to claim responsibility for cyber attacks and leak stolen documents or other proofs from their victims. We assess this tactic is almost certainly an attempt to prime the information space with narratives of popular support for Russia’s war and to generate second-order psychological effects from the GRU’s network attacks. Follow-on influence efforts tend to exaggerate the success of the preceding cyber components and are carried out irrespective of the cyber operation’s actual impact. Telegram has been the primary platform for these efforts, as channels on the social media platform have become the go-to source for unfiltered footage and updates from the war.
In the final stage of the playbook, data from the victim of UNC3810’s wiper attack was staged and advertised on Telegram by “CyberArmyofRussia_Reborn”, a self-proclaimed hacktivist persona that claimed responsibility for the wiper attack. However, technical artifacts from the UNC3810’s intrusion indicate that the “CyberArmyofRussia_Reborn” persona severely exaggerated the success of the wiper attack. Due to a series of operator errors, UNC3810 was unable to complete the wiper attack before the Telegram post boasting of the disrupted network. Instead, the Telegram post preceded CADDYWIPER’s execution by 35 minutes, undermining CyberArmyofRussia_Reborn’s repeated claims of independence from the GRU. Based on the close sequencing between the wiper deployment and Telegram posts, Mandiant assesses with high confidence that UNC3810 and Cyber Army of Russia engaged in forward operational planning to orchestrate the cyber and information operations components of the operation.
29.09.2024 ENISA Threat Landscape 2024
In addition, Cyber Army of Russia Reborn has been targeting operational technology (OT) in the EU and in other countries like Ukraine and USA. In the beginning of the year, the group has taken credit for multiple water utilities in the US, a wastewater plant in Poland, and a hydroelectric dam in France.
And regarding wiper, let’s take a look at Sandworm which placed for e.g. various wipers in the Ukraine war not so long ago. Known as APT44 but also having connection to APT28 and units like 74455, Sandworm has deployed wiper like mentioned above since at least January 2022 before the start of the Ukraine war. The Ukrainian CERT published in April this year an alert about an attempt to disrupt critical infrastructure at almost 20 facilities. Here again the attacker is APT44 and this time it is the backdoor QUEUESEED, which is identical to KAPEKA used in June 2022 in Ukraine (same hash, almost same behavior). Mandiant describes SIX Phases of APT44 disruptive operations during the 2022 war in Ukraine and the 7th phase could be potentially the non-kinetic attempt to disrupt again with the same backdoors like KAPEKA from June 2022 which was used with SDELETE. Exact the hash can be found for UAC-0133 the QUEUESEED backdoor with the same technical behavior including the SDELETE. To read more about it, please visit my article here.
Unit 29155 history — Skripal, Navalny, Espionage & Lucky Couples
Unit 29155 has been around since 2009. The unit is known to have carried out various campaigns and operations in the course of hybrid warfare. For example, they are held responsible for various assassination attempts, including the best-known cases of Skripal or Navalny. It is also interesting that this unit has placed various agents in Europe who have coordinated bombings and assassinations for years, such as the supposedly Czech hotelier couple Nikolay and Elena Šapošnikov’s.
We know of similar incidents in Germany, before supposedly German couples like Heidrun and Andreas Anschlag spied for the Russian more than two decades.
Havanna Syndrome
Unit 29155 is not only held responsible for poison attacks, but also for Havana Syndrome. Research by SPIEGEL shows that Russian secret services may have used microwave weapons against US diplomats.
USA Today published
Using leaked mobile phone data and other information, reporters were able to place members of Unit 29155 at locations where American government personnel experienced signs of a Havana Syndrome — just prior to or at the time of the attack. These include incidents in Frankfurt, Germany, in 2014, in Guangzhou, China, in 2017, and in Tblisi, the capital of the former Soviet republic of Georgia, in 2021, “60 Minutes,” The Insider and Der Spiegel reported.
Goals of the current Russian government and Putin to understand the Havanna Syndrome
In order to better understand Unit 29155 operation, I would like to go back to the goals of the current Russian government and Putin.
Indications that the Havana Syndrome has Russian origins are offered by bellingcat research, which leaked strategic plans of the Russians regarding the Havana syndrome on Twitter. The creation of weapons on physical principal is described:
And another source is SPUTNIK international, where we can read about such programs started in December 2012.
Cyber Army of Russia Reborn, NoName57(16) and “The Geopolitics of Civilizations”
In the course of these destructive narratives, it is worth taking a look at the goal of the Russian hardliners, for example with the manifesto published by the Cyber Army of Russia_Reborn that I’ve mentioned in the beginning of the article.
Published on hxxps://dzen[.]ru/a/ZtXJq1iMXG4-frC5 we can read “The Geopolitics of Civilizations” manifesto with the title HOW PUTIN FULFILLED ZHIRINOVSKY’S PROPHECY, WHICH HE LAID OUT FOR ANOTHER 30 YEARS BACK.
Following content we can read:
Hello, dear Russian civilization. There are many speeches left from Zhirinovsky,
forecasts, speeches, but the most valuable, in our opinion, are books. One
of such books “The Last Dash to the South”. Further quote:
“Since the mid-80s, I have already begun to develop my own geopolitical concept. I don’t want to give it my name, let’s say, “formula or prophecy Zhirinovsky”, but it is necessary to clearly realize that “the last rush to the South”, the exit to the the prospect of Russia to the shores of the Indian Ocean and the Mediterranean Sea is really a real solution to the problem of saving the Russian nation. After all, when others are talking about cutting off Kazakhstan, Kyrgyzstan, Central Asia, they do not understand that we are pushing Russia into the tundra, where only mineral resources, where a person cannot live and develop. Development civilization has always started from the south. People moved north, since their were very numerous, they were accumulating in the south, and the movement developed in different directions, people did not yet realize that they were leaving the best places. They went to search for food, it exterminated animals in the vicinity. Today, we are without ourselves any necessity, we can drive them into unviable regions and destroy them nation completely. Therefore, the idea of such a last “throw” is the last, because this will probably be the last redivision of the world, its necessity is generated by the entire course of history. This solves all problems, and we gain calm. Russia acquires a four-pole platform. We will rely on The Arctic Ocean from the north, to the Pacific Ocean from the east, to the Atlantic through the Black Sea,the Mediterranean and Baltic Seas and, finally, in the south, we will be able to rely on the Indian ocean, only then will we find peaceful neighbors. Friendly India, it will be the quietest and calmest, this Russian-Indian border. You will need to also make a Russian-Chinese border. We will protect ourselves once and for all from the point of view of terms of borders, creating a situation in which it is impossible to calculate Russia,separation of some parts” — the end of the quote. Zhirinovsky
Following the confusing summary of Zhirinovsky, the timeline of the supposed dominance over Europe is outlined, as shown in the picture below, and Russia’s victory is celebrated.
Here the conspiracy theorists describes the importance of India, Balkan and Africa, but also Chinese border to dominate the continent.
It quickly becomes clear that these are either megalomaniac crackpots or parts of the criminal hacktivist milieu consist of intelligence employees of Russian intelligence services who not only manipulate the underground but also control it.
Overall, it becomes clear with what unscrupulousness and brutality Russia has acted in recent years to achieve its goals. In addition to bombings and poison attacks, election control, electronic warfare via Havana syndrome weapons, Putin’s regime does not even shy away from attacking critical infrastructure globally and using wipers in space.
The Shift to cyberspace
Since the Ukraine war, the focus of their operations seems to have shifted to cyberspace, partly because Western influences have made it more difficult for the special forces to travel or operate freely in Europe. As an asymmetrical means, also to consciously assert the influence of the Kremlin, the unit is planning systematic espionage and attacks, including on critical infrastructure in the US but also in Europe. This is where the Cyber Army of Russia Reborn comes again into play again, for example in the attack on a water treatment plant this year in Muleshoe, Texas or the attack on a hospital in UK, June 2024.
Hacktivists attack all those NATO allies on a daily basis who specifically help Ukraine with weapons and financial support, see also my article on Mirai botnets and NoName57(16) or Cyber Volk.
CyberVolk — Holy War & Allegiance to Russia
CyberVolk is a hacktivist group that openly announce its allegiance to Russia. They are politically motivated and deployed a new ransomware variant in July 2024. In July, a campaign has been underway against Spain by CyberVolk and other hacktivists in the environment of Russian actors in the course of the arrest of 3 members of the group noName57(16), who are mainly known for attacking countries that support NATO and the West. I have already written an article on their DDoS campaigns in the context of targeting the Danish government.
CyberVolk is only one of over 70 groups that have joined forces to take revenge on the arrest of their members in the “holy war” against Spain. Although the DDoS attacks in Spain had indeed increased, they were still below the number of the normal amounts of attacks on Spain since the 3 members were detained. Nevertheless, 27 institutions have been officially affected by CyberVolk’s attacks since their self-proclaimed holy act of aggression against the supposed enemy. We find the information on the website of netscout with a detailed analysis and characteristics of the attacks.
Akira, LockBit, Unit 29155…Chang Way Ltd
Ransomware groups like Akira or LockBit operate in the same server landscape Chang Way Ltd with similar tools like Masscan. A detailed analysis of the ransomware group can be found here and the Chang Way Ltd ecosystem with LockBit here. Here is a quick comparison of which TTPs coincide with Unit 29155 and Akira.
Both threat actor use tools like Masscan, Mimikatz, and Cobalt Strike, highlighting their focus on rapid reconnaissance, credential access, and lateral movement. Akira focuses on financial extortion through ransomware, while Unit 29155 targets strategic objectives, such as disrupting critical infrastructure. Both utilize publicly available tools for efficient attacks, making detection harder due to the prevalence of these tools in legitimate contexts. It shows that Russian ransomware groups and the military intelligence have similar TTPs and share the same server ecosystem.
And what to say about WhisperGate
The interesting thing is that the wiper campaigns have basically not changed at all. There are wipers and hashes still actively deployed by Russian intelligence units. I have already written a technical analysis of this and another article how it could possibly be blocked via Sysmon as a telemetry backup tool if EDR would be bypassed or disabled. The latest CISA Russian Military Cyber Actors Target US and Global Critical Infrastructure Joint Advisory co-authored by several agencies around the globe, is an awesome technical overview to create robust detection and to hunt after IOC like the ports mentioned and command lines, tools, vulnerabilities and TTPs. The documentation has many useful mitigations and the appendix with the WhisperGate malware analysis contains hashes for stage1.exe, asd.exe and stage2.exe.
Hunting after Unit 29155 members
The Us offers a $10 million reward for information on GRU members.
Unit 29155 of the Russian General Staff Main Intelligence Directorate (GRU). The operatives include:
- Vladislav Borovkov (Боровков Владислав)
- Denis Igorevich Denisenko (Денисенко Денис Игоревич)
- Yuriy Denisov (Денисов Юрий)
- Dmitriy Yuryevich Goloshubov (Голошубов Дмитрий Юрьевич)
- Nikolay Aleksandrovich Korchagin (Корчагин Николай Александрович)
These individuals are believed to be key players behind some of the most destructive cyberattacks in recent history. According to U.S. authorities, they were responsible for deploying the WhisperGate malware in cyberattacks that compromised Ukrainian government systems ahead of Russia’s 2022 invasion of Ukraine. These attacks targeted critical Ukrainian infrastructure, disrupting government functions and private sector operations. Securityonline.info
Navalny movie & OSINT — what we can learn about indifference causing wars by ignoring real hybrid warfare threats
The Cognitive Crucible is a forum that presents different perspectives and emerging thought leadership related to the information environment. I highly recommend the latest episode.
During this episode, Melissa Graves, Frank Emerson, and Pat Hendrix discuss the history of Open Source Intelligence (OSINT), how publicly available information (PAI) is being analyzed by students in the Department of Intelligence and Security Studies at The Citadel, and The Citadel’s Open Source Intelligence Conference which will be held October 23–25, 2024.
They also mention the Navalny movie and lessons learned about OSINT by watching it, including the bellingcat research of “Russia’s Clandestine Chemical Weapons Programme and the GRU’s Unit 29155” and how they planned to kill Navalny.
And to emphasize how things can go wrong, it could make sense to watch the movie “Don’t look up”. In the movie Kate Dibiasky, a doctoral candidate in astronomy at Michigan State University, discovers an unknown comet. Her professor, Doctor Randall Mindy, confirms that it will collide with Earth in approximately six months and is large enough to cause a global extinction event. NASA verifies the findings, and Dr. Teddy Oglethorpe, head of their Planetary Defense Coordination Office, accompanies Dibiasky and Mindy to present their findings to the White House. However, they are met with apathy from President Janie Orlean and her Chief of Staff Jason Orlean, who is also her son.
Conclusion
Probably the most dangerous special forces unit in the world at this point in time is Unit 29155. The unit is intent on maximum destruction and disruption of its enemies and will stop at nothing, be it election interference, propaganda together with terrorist groups or the attempt of terrorist attacks, as well as poison attacks and the use of wipers to inflict maximum damage. In the future, it should be checked even more intensively who leaves Russia to enter our borders, in EU and NATO countries and track them as suspicious person of interests. The path of truth is a lonely path.
