The US government and a coalition of international partners have officially recognized the Russian hacking group they are tracking Cadet Blizzard to the 161st specialist training center of the Main Intelligence Directorate (GRU) of the General Staff (cityMilitary unit 29155).
“These cyber actors have been responsible for computer network operations against global targets for the purposes of espionage, sabotage and reputational damage since at least 2020,” the agencies noted. said.
“Since early 2022, the primary focus of cyber actors appears to be targeting and disrupting aid efforts in Ukraine.”
The attacks targeted critical infrastructure and key resource sectors, including government services, financial services, transportation systems, energy and health sectors of members of the North Atlantic Treaty Organization (NATO), the European Union, Central America and Asia. .
The joint guidance, released last week as part of a coordinated exercise called Operation Toy Soldier, comes from the cybersecurity and intelligence agencies of the United States, the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia and the United Kingdom.
Cadet Blizzardalso known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the devastating WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations ahead of Russia’s full-scale military invasion of the country.
Back in June 2024, 22-year-old Russian citizen Amin Timovich Stigall was convicted accused in the US for his alleged role in organizing destructive cyber attacks against Ukraine using the wiper malware. However, the use of WhisperGate is not unique to the group.
Since then, the US Department of Justice (DoJ). is charged five officers associated with Unit 29155 for conspiring to commit computer intrusion and wire fraud against targets in Ukraine, the United States and 25 other NATO countries.
The names of the five officers listed below –
- Yuriy Denisov (Yuriy Denisov), colonel of the Russian army, commander of the cyber operations department of military unit 29155.
- Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin, writers in the Belarusian military establishment working in the country 29155
“The defendants did this to sow concerns among Ukrainian citizens about the security of their government systems and personal data,” the Ministry of Justice said. “The defendants’ targets included Ukrainian government systems and data that had no military or defense role. Later, computer systems in countries around the world that provided support to Ukraine were targeted.”
Concurrent with the indictment, the US State Department’s Rewards for Justice program announced a reward of up to $10 million for information about the defendants’ whereabouts or their malicious cyber activity.
According to the instructions, unit 29155 is responsible for this attempted coups, sabotage and influence operations, assassinations across Europe, with the adversary expanding its horizons to include offensive cyber operations from at least 2020.
The ultimate goal of these cyber intrusions is to collect sensitive information for espionage purposes, to cause reputational damage by leaking said data, and to organize destructive operations aimed at sabotaging systems containing valuable data.
Unit 29155, according to the recommendation, is believed to be made up of junior, active-duty GRU officers who also rely on known cybercriminals and other civilians, such as Stigall, to help carry out their tasks.
These include website defacements, infrastructure scans, data theft, and data leakage operations that involve publishing information on public website domains or selling it to other actors.
Attack chains begin with a scan that exploits known security flaws in Atlassian Confluence Server and Data Center, Dahua Security, and Sophos firewalls to breach the victim’s environment, followed by the use of Impacket for post-exploitation and lateral movement and, ultimately, exfiltration of data into dedicated infrastructure.
“Maybe used by cyber actors Crimson Robin malware acting as an access broker,” the agencies noted. “Cyber actors targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain real usernames and passwords.”
Organizations are encouraged to prioritize scheduled system updates and patches for known vulnerabilities, segment networks to prevent the spread of malicious activity, and ensure phishing-resistant multi-factor authentication (MFA) for all external account services.
