NCSC Calls Out Cyber-Attacks From Russia’s GRU

The UK’s NCSC and nine international allies have given details of cyber-attack campaigns by a unit of Russia’s military intelligence service, in an unusual move intended to help organisations prepare for potential breach attempts.

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, and agencies in the US, the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Canada, Australia and Ukraine outlined tactics and techniques used by Unit 29155 of Russia’s GRU to carry out cyber-operations against government and critical infrastructure organisations around the world.

The unit, also known as the 161st Specialist Training Centre, has been carrying out attacks since at least 2020, the NCSC said.

It said this was the first time the UK has exposed the unit’s activities.

Espionage

“Unit 29155 is assessed to have targeted organisations to collect information for espionage purposes, caused reputational harm by the theft and leaking of sensitive information, defaced victim websites and undertaken systematic sabotage caused by the destruction of data,” NCSC said in an advisory.

The group is made up of junior active-duty GRU officers and also relies on non-GRU actors including known cyber-criminals and enablers for its operations.

It is distinct from more established GRU-related cyber groups Unit 26165, known as Fancy Bear, and Unit 74455, known as Sandworm.

The NCSC said Unit 29155 was behind deploying Whispergate data-destroying malware against multiple organisations in Ukraine prior to Russia’s invasion of the country in early 2022.

Since then the group has been mainly focused on disrupting international support for Ukraine amidst the ongoing war, the NCSC said.

“The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities,” said director of operations Paul Chichester.

“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so.”

Whispergate

In May 2022 the UK and allies attributed Whispergate to GRU, but the attribution specifically to Unit 29155 was made for the first time.

“This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe,” said then-UK Foreign Secretary Liz Truss at the time.

The advisory from NCSC and allies gives specific details of the unit’s tactics and indicators of compromise in order to help organisations prepare for possible attacks.

The NCSC urged organisations to take defensive measures such as prioritising patching known vulnerabilities, deploying protective controls and architecture and applying security controls, including testing the organisation’s security programmes against the MITRE ATT&CK for Enterprise framework.