Threat Research

Russian Military Cyber Actors Attack US and Global Critical Infrastructure, CISA Reports

CISA

The FBI, CISA, and NSA assess that Russian GRU Unit 29155 has conducted cyber operations globally for espionage, sabotage, and reputational harm since 2020, including deploying WhisperGate against Ukrainian organizations starting in January 2022. The advisory outlines mitigations such as patching exploited vulnerabilities, network segmentation, and phishing-resistant MFA to counter these threats and notes collaboration with non-GRU cyber criminals in some operations. #WhisperGate #Unit29155 #GRU #NATO

Keypoints

  • GRU Unit 29155 has been active in cyber operations since at least 2020, with espionage, sabotage, and reputational harm as objectives.
  • WhisperGate malware was first deployed against Ukrainian organizations in January 2022.
  • Unit 29155 is distinct from other GRU groups like Unit 26165 and Unit 74455.
  • Victims include NATO members and other countries, with a focus on critical infrastructure.
  • Reconnaissance and exploitation have involved tools such as Acunetix, Amass, Nmap, Shodan, and Rclone for exfiltration to cloud storage.
  • Actors often work with non-GRU cyber criminals and leverage widely available tooling to conduct operations.
  • Mitigations emphasize patching known CVEs, network segmentation, phishing-resistant MFA, and robust security controls.

MITRE Techniques

  • [T1485] Data Destruction – Brief description of how it was used. Quote: “Unit 29155 cyber actors’ objectives include the destruction of data.” …translated quote in English…
  • [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Brief description of how it was used. Quote: “exfiltrated data to cloud storage services like MEGA using Rclone.”
  • [T1078.001] Valid Accounts: Default Accounts – Brief description of how it was used. Quote: “Exploitation of default credentials on IoT devices, such as IP cameras.”
  • [T1190] Exploit Public-Facing Application – Brief description of how it was used. Quote: “Unit 29155 cyber actors have used a variety of public exploits, including CVE-2021-33044, CVE-2021-33045, CVE-2022-26134, and CVE-2022-26138.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Brief description of how it was used. Quote: “Execution of commands via PowerShell for operational tasks.”
  • [T1003.001] OS Credential Dumping: LSASS Memory – Brief description of how it was used. Quote: “Exfiltration of LSASS memory dumps to retrieve credentials.”
  • [T1003.002] OS Credential Dumping: Security Account Manager – Brief description of how it was used. Quote: “Extraction of usernames and hashed passwords from the SAM.”
  • [T1110.003] Brute Force: Password Spraying – Brief description of how it was used. Quote: “Targeting Microsoft OWA infrastructure with password spraying techniques.”
  • [T1046] Network Service Discovery – Brief description of how it was used. Quote: “Use of Nmap for discovering and scanning internal networks.”
  • [T1550.002] Use Alternate Authentication Material: Pass the Hash – Brief description of how it was used. Quote: “Utilization of Pass-the-Hash techniques for authentication.”
  • [T1114] Email Collection – Brief description of how it was used. Quote: “exfiltrate mail artifacts, such as email messages.”
  • [T1125] Video Capture – Brief description of how it was used. Quote: “exfiltrating images.”
  • [T1213.001] Data from Information Repositories: Confluence – Brief description of how it was used. Quote: “Through the Wire against the victim’s internet-facing Confluence server.”
  • [T1560] Archive Collected Data – Brief description of how it was used. Quote: “compress victim data (e.g., the entire filesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure.”
  • [T1090.003] Proxy: Multi-hop Proxy – Brief description of how it was used. Quote: “ProxyChains—a tool used to route internal traffic through a series of proxies.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Brief description of how it was used. Quote: “POST requests over HTTP to send payloads to victims.”
  • [T1071.004] Application Layer Protocol: DNS – Brief description of how it was used. Quote: “DNS tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic.”
  • [T1095] Non-Application Layer Protocol – Brief description of how it was used. Quote: “a reverse TCP connection to initiate communication with their infrastructure.”
  • [T1105] Ingress Tool Transfer – Brief description of how it was used. Quote: “launch the Meterpreter payload to initiate communication with their actor-controlled systems.”
  • [T1572] Protocol Tunneling – Brief description of how it was used. Quote: “OpenVPN configuration to tunnel traffic over port (1194), VPNs, and GOST to anonymize their operational activity.”
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Brief description of how it was used. Quote: “Unit 29155 cyber actors have used VPSs to host their operational tools.”
  • [T1588.001] Obtain Capabilities: Malware – Brief description of how it was used. Quote: “obtain publicly available malware and malware loaders.”
  • [T1588.005] Exploits – Brief description of how it was used. Quote: “obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure.”
  • [T1595] Active Scanning – Brief description of how it was used. Quote: “Active Scanning … Unit 29155 cyber actors use publicly available tools to gather information for possible use during targeting.”
  • [T1595.001] Active Scanning: Scanning IP Blocks – Brief description of how it was used. Quote: “Scanning IP blocks.”
  • [T1595.002] Active Scanning: Vulnerability Scanning – Brief description of how it was used. Quote: “Vulnerability scanning … Acunetix, Amass, Droopescan, eScan, and JoomScan.”
  • [T1590.002] Gather Victim Network Information: DNS – Brief description of how it was used. Quote: “using Amass and VirusTotal to obtain information about victims’ DNS.”
  • [T1596.005] Acquire Infrastructure: Scanning with Shodan – Brief description of how it was used. Quote: “used Shodan to identify hosts with a specific set of vulnerabilities or device types.”

Indicators of Compromise

  • [IP Address] – Example: 5.226.139.66, 179.43.175.38, and 179.43.175.108 (data exfiltration site)
  • [Domain] – Example: interlinks.top, ngrok.com, 3proxy.ru, nssm.cc
  • [File hash] – Example: Stage1 MD5 5d5c99a08a7d927346ca2dafa7973fc1, Stage2 MD5 764f691b2168e8b3b6f9fb6582e2f819
  • [File name] – Example: stage1.exe, stage2.exe, asd.exe, Frkmlkdkdubkznbkmcf.dll
  • [URL] – Example: hxxps://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg
  • [Hash] – Tbopbh.jpg MD5 b3370eb3c5ef6c536195b3bea0120929
  • [Hash] – Tbopbh.jpg reversed/functional: MD5 e61518ae9454a563b8f842286bbdb87b (Tbopbh.jpg reversed to functional)
  • [Cloud storage] – Example: mega.nz (exfiltration target)

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a