Russian hacker against digitally generated Russian flag showing cyber attacks on critical infrastructure

New CISA Report Ties Recent Cyber Attacks on Critical Infrastructure to Russian Intelligence Unit

A new joint advisory from CISA, the FBI and the NSA documents a distinct Russian GRU unit separate from the country’s other well-known threat actors and focused on attacking foreign critical infrastructure since at least 2020.

Unit 29155, also called Cadet Blizzard or Ember Bear, is a special Russian intelligence unit with a particular focus on the Ukraine invasion. The group’s signature is the use of a highly destructive malware called “WhisperGate” which has been observed since at least January 2022.

Relatively new Russian threat group targets Ukraine and NATO members with cyber attacks

Unit 29155 is different from some of the highly-publicized Russian threat actors that have made headlines in the past for their espionage and election interference exploits. CISA believes this group is relatively new to cyber attacks, with evidence of it being active in this area since 2020, and appears to be mostly composed of junior active-duty GRU officers that are being trained by more experienced leadership to take on bigger roles in campaigns of espionage and cyber attacks.

Another interesting detail is that CISA believes Unit 29155 is actively working with Russian cyber criminal groups on some of their operations. However, the report does not specify which groups or what their roles might be. The GRU agents do obtain hacking tools from criminal sources, such as malware loaders. There is no indication as to private criminal groups participating in critical infrastructure attacks.

Nevertheless, Tom Kellermann, SVP of Cyber Strategy at Contrast Security, takes a dim view of this development: “This is a notable shift as the Russian military previously utilized cybercriminals as mercenaries.  The Russians recognize that the Achilles heel of NATO nations is their dependence on cyberspace and thus they are launching widespread destructive cyberattacks against western critical infrastructures. This warning should serve as a harbinger of destructive hybrid attacks this fall wherein kinetic impact will manifest. Lives will be lost.”

Unit 29155’s actions since 2020 include cyber attacks on a number of federal agencies in the United States, the United Kingdom, Canada, Australia, the Netherlands, Germany, Czechoslovakia, Estonia and Latvia. But the group seems to have switched most of its focus to Ukraine in the weeks prior to the 2022 military invasion, deploying its signature WhisperGate malware against a variety of critical infrastructure organizations as well as the national security service (SBU) and the Computer Emergency Response Team of Ukraine (CERT-UA).

The group appears to alternate espionage and cyber attacks in a variety of mission types including sabotage, supporting coups, influence operations and even coordinating assassination attempts. It has attacked critical infrastructure in countries other than Ukraine with known operations in the EU, Central America, and Asia seemingly focusing on NATO members.

The report also notes that Unit 29155 has been tricky to track and attribute as it makes use of many publicly available tools and common red teaming techniques, causing some of its cyber attacks to be misattributed to other actors. While the WhisperGate malware is something it commonly uses, it is also used by other threat actors. The Russian hackers also use VPNs to mask their activity and use Shodan to scan for known vulnerable devices, such as security cameras, that they can route identity authentication attempts through.

Critical infrastructure targets of prime interest to GRU hackers

While it looks as if most of the group’s efforts against critical infrastructure switched to Ukraine invasion support as of early 2022, it has remained consistently active in probing and occasionally conducting cyber attacks against Ukraine allies. The FBI has counted about 14,000 domain scans on a total of 26 NATO members by the group, and it has remained active in more minor activities outside of Ukraine such as website defacement and stealing and leaking data wherever it finds an opportunity.

Prior to the Ukraine invasion, the group was also getting into some exotic and experimental territory outside of its more standard cyber attacks. A March report from The Insider, 60 Minutes and Der Spiegel found that the mysterious “Havana Syndrome” that plagued foreign embassies and consulates for years may have been linked to non-lethal acoustic weapons tests by known members of Unit 29155.

The new joint advisory is accompanied by an announcement of State Department rewards of millions of dollars for information on five Unit 29155 junior officers believed to have directly targeted critical infrastructure in the US, Ukraine and numerous other allied countries. Critical infrastructure cyber attacks have become a point of sharp focus for the Biden administration as attackers of all types and nationalities become increasingly bold in not only probing them, but setting up shop covertly for long periods of time with their fingers on “kill switches” that could cut off electricity, water and transportation in the event of a military conflict.

CISA is recommending that organizations prepare for potential cyber attacks from this outfit by ensuring that known vulnerabilities are patched, as the Russian hackers are voracious users of Shodan to scan for unpatched openings. It also recommends network segmentation and the implementation of multi-factor authentication across organizations.

Erich Kron, Security Awareness Advocate at KnowBe4, adds some specific advice for critical infrastructure outfits and their vendors: “Clearly, cyber operations are a part of modern geopolitics as much as, or more than, traditional espionage and spy techniques have been in the past, with the advantage going to digital spycraft as it can be done from any continent at any time of the day or night, with little concern about being caught. No longer are people put in physical danger when stealing information, making it far more appealing. While cyber attacks against critical infrastructure are certainly concerning, it is even more concerning to imagine that adversaries could gain access to systems without our knowledge and remain hidden until an issue occurred and could then be used to take down critical tools, utilities, or communication systems. This is not only a concern for organizations that provide critical infrastructure services directly, but also for vendors providing services to these critical infrastructure partners as well due to risks of supply chain attacks. Organizations should ensure they are keeping track of the latest Indicators of Compromise (IoCs), educating employees about the potential to be targeted for attacks, and ensuring that technical controls are in place to monitor the potential for network infiltration and data exfiltration.”