GRU Unit 29155: Specialists in destruction and assassination
Russia’s GRU has many military units engaged in offensive cyber operations. For example, Unit 26165, or the 85th Main Special Service Center (GTsSS), has been involved in cyber operations since back in 2004 and is tracked in the security industry as APT28, Sofacy, Pawn Storm, or Fancy Bear. Meanwhile, Unit 74455, or the Main Center for Special Technologies (GTsST), goes by the name Sandworm, Electrum, or Voodoo Bear and has been active since at least 2009. The group is well known for its ability to attack critical infrastructure, including devastating cyber attacks against Ukraine’s power grid in 2015, 2016, and 2022 that resulted in blackouts.
In comparison, Unit 29155’s expansion into offensive networking appears to be more recent, first seen in 2020. According to the FBI, NSA, and CISA, this unit, officially known as the 161st Specialist Training Center, has traditionally been responsible for doing this. attempted coups, sabotage and influence peddling, and assassination attempts across Europe.
While the other two highly cyber-savvy units use bespoke malware, Unit 29155 favors well-known red-collar techniques combined with open-source and commercial tools, including vulnerability scanners, network mappers, proof-of-concept exploits copied from GitHub, penetration testing . frameworks, public tunnel and proxy software, and more. WhisperGate’s custom data that wipes the malware appears to be different from its cache, but even that is not only used by Unit 29155.
Source link