Feds Issue Warning About Russian Hacking Group Targeting Critical Infrastructure
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their partners have issued a joint cybersecurity advisory about Russian military hackers who have been targeting critical infrastructure entities in the United States and other NATO countries. The authorizing agencies believe the hackers are affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) but are distinct from other more established GRU hacking groups. The hacking group is tracked by several cybersecurity companies under the names Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.
The hackers conduct computer network operations against targets around the world for espionage, sabotage, and to cause reputational harm and have been active since at least 2020. Since January 2022, the hackers have been targeting organizations in Ukraine and deploying the destructive multi-stage wiper malware WhisperGate. In addition, offensive cyber campaigns have been conducted against NATO members in Europe and North America, and other countries around the world. The campaigns have involved website defacements, infrastructure scanning, and data exfiltration. The stolen data may be sold or leaked online with the intent of causing reputational harm. Critical infrastructure and key resource sectors known to have been attacked by the group include government services, financial services, transportation systems, energy, and healthcare.
The group is believed to consist of junior active-duty GRU officers who are under the direction of more experienced Unit 29155 members and are gaining experience conducting cyber operations and enhancing their technical skills. The FBI believes that the cyber actors in Unit 29155 rely on non-GRU actors, including known cybercriminals and enablers to conduct their operations.
The threat actors have been observed exploiting vulnerabilities such as the Dahua Security vulnerabilities CVE-2021-33044 and CVE-2021-33045, the Atlassian Confluence Server and Data Center vulnerabilities CVE-2022-26134 and CVE-2022-26138, and the Sophos Firewall vulnerability CVE-2022-3236. The hackers have also been observed obtaining exploit scripts for the vulnerabilities: CVE-2020-1472 (Microsoft: Windows Server), CVE-2021-26084 (Atlassian Confluence Server and Data Center), CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing), CVE-2021-4034 (Red Hat: Polkit Privilege Escalation), and CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Critical infrastructure entities have been urged to take immediate action to improve their defenses against attacks, including ensuring that patches are promptly applied to fix known vulnerabilities, software solutions are updated to the latest versions, and the other recommended mitigations detailed in the alert are implemented. The U.S. State Department has announced that a reward of $10 million is available under its Rewards for Justice program for information on five hackers suspected of working for GRU Unit 29155: Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin.
Suspected GRU Unit 29155 hackers. Source: U.S. Department of State, Rewards for Justice
