FBI, NSA and CISA Warn of Cyber Attacks From Specialist Russian Group That Targets Critical Infrastructure

by | Sep 16, 2024

Federal agencies are warning that a Russian intelligence unit, different from familiar faces such as “Cozy Bear” and “Fancy Bear,” is highly active in cyber attacks against NATO members and Ukraine allies and has been particularly aggressive toward critical infrastructure.

“Ember Bear,” also called Unit 29155 or “Cadet Blizzard,” is part of a Russian intelligence outfit that dates back nearly 100 years but has become an active participant in cyber attacks since at least 2020.

Russian intelligence unit a leading force in testing critical infrastructure

From 2020 to early 2022, Unit 29155 was conducting cyber attacks against a broad variety of international targets. A few weeks ahead of the Ukraine invasion, it seemed to narrow its focus mostly to targets in that country. However, it continues to hound NATO members and Ukraine allies with a seeming particular interest in finding holes in their critical infrastructure systems to occupy. The FBI reports that since 2020 the hackers have conducted about 14,000 domain scans in a total of 26 NATO member nations.

The group remains enough of a threat to the US that the State Department has announced bounties on five of its known junior officers. The public warning tracks with the Biden administration’s recent focus on cyber attacks on critical infrastructure, as situations involving Russia, China and Iran remain unstable with a non-zero risk of armed conflict breaking out.

The advice for organizations thus far is nothing out of the ordinary – ensure MFA is implemented, segment networks where possible and patch known vulnerabilities. But the lattermost is particularly important as the Russian hackers are known to regularly use Shodan and other tools to look for openings, and this is something China’s hacking teams have been previously observed devoting significant resources to as well. Any organization even adjacent to critical infrastructure (and their vendors) will be of interest to them.

New to cyber attacks, but long experience with assassinations

Unit 29155 is only known to have been active in cyber attacks dating back to 2020, but the group has a history of assassinations and other in-person spy work that goes back decades. It is thought to have been involved with the “Havana Syndrome” incidents in recent years, sending agents to test non-lethal acoustic weapons on embassy personnel.

In modern times the group appears to be something of a training unit for junior active-duty GRU officers on their way to bigger and better roles, particularly in the realm of cyber attacks. This tracks with much of its activity outside of Ukraine, which thus far has involved more minor incidents such as DDoS attacks and leaks of internal data.

The advisory notes that the group is also working with Russia’s private industry cyber criminals, though it does not offer much detail save that it obtains tools and malware from these sources at times. It is unknown if any of these groups are directly assisting in espionage or critical infrastructure attacks in foreign countries, in the way that China is using private contractors.

Any nation in NATO or supporting Ukraine is a likely target for this group. It is known to deploy the destructive WhisperGate malware but is not above stealing data beforehand and potentially leaking it to the public if they feel there is strategic advantage in it. The advisory also notes that the group sometimes participates in for-profit attacks, presumably to bolster its operational funding as the Russian government devotes its resources to the Ukraine invasion.

Unit 29155 is also difficult to keep track of as it uses common public tools and red teaming techniques in its cyber attacks, obscuring exactly who the perpetrator is. The group will also likely use VPNs to mask its activity.

Recent Posts

How can we help?

15 + 2 =

× How can I help you?