Photo credit: www.csoonline.com
GRU Unit 29155: Specialists in Sabotage and Assassinations
The Russian military intelligence agency, GRU, operates several units that specialize in offensive cyber capabilities. Among these, Unit 26165, also known as the 85th Main Special Service Center (GTsSS), has been involved in cyber activities since 2004, recognized in the cybersecurity sector as APT28, Sofacy, Pawn Storm, or Fancy Bear. Another key unit, 74455, known as the Main Center for Special Technologies (GTsST), has been operational since at least 2009 and is tracked under various names including Sandworm, Electrum, or Voodoo Bear. This unit has gained notoriety for its cyberattacks on critical infrastructure, particularly its damaging campaigns against the Ukrainian power grid, which led to significant power outages in 2015, 2016, and 2022.
In contrast, Unit 29155’s foray into offensive cyber operations is relatively new, with its activities first documented in 2020. The unit, formally referred to as the 161st Specialist Training Center, has a history of conducting sabotage, assassination attempts, and influence operations across Europe, as noted by American intelligence agencies such as the FBI, NSA, and CISA.
Differing from the more established cyber units that utilize custom malware, Unit 29155 tends to rely on well-known red-teaming strategies combined with both open-source and commercially available tools. These include vulnerability scanners, network mapping tools, exploits sourced from GitHub, penetration testing frameworks, and various public tunneling and proxy software. Although the unit has developed some custom malware like WhisperGate, aimed at data wiping, it is not proprietary to Unit 29155 alone and reflects a broader trend in adapting prevailing cybersecurity tools for their operations.
Source
www.csoonline.com