The FBI, CISA, and NSA linked threat actors from Russia’s GRU Unit 29155<\/a> to global cyber operations since at least 2020. These operations include espionage, sabotage, and reputational damage. The United States and its allies state that GRU is behind global critical infrastructure attacks.<\/p>\n\n\n\n
Starting January 13, 2022, the group employed the WhisperGate<\/a> wiper in attacks against Ukrainian organizations. The government expert pointed out that Unit 29155 operates independently from other GRU-affiliated groups like Unit 26165<\/a> and Unit 74455<\/a>.
“FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions.” reads the joint advisory<\/a>. “Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”<\/em>
GRU Unit 29155 targeted government and critical infrastructure by exploiting IP ranges using publicly available tools for scanning and vulnerability exploitation. The group only relies on common red-teaming techniques and tools like Raspberry Robin<\/a> and SaintBot, often overlapping with other cyber actors, making it harder to attribute its activities. The nation-state actor attempted to exploit flaws in internet-facing systems, including Dahua IP cameras, to gain initial access. Using Shodan, they identify IoT devices and leverage default credentials to execute remote commands and exfiltrate data, including images and plaintext credentials. <\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi\u00a0Paganini<\/strong><\/a>
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, Russia)\u00a0<\/strong>