US charges 5 Russian spies for Ukraine, NATO cyberattacks

Five officers of the Russian military intelligence service, the GRU, and an alleged civilian collaborator were charged Thursday in the US for destructive cyberattacks against Ukrainian computer infrastructure ahead of Russia’s invasion in February 2022.

The five officers, members of GRU’s Unit 29155, and their alleged collaborator are also accused of probing government computer systems belonging to 26 NATO member countries, including the US, and hacking the transportation infrastructure of a Central European nation that was providing aid to Ukraine.

“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020,” the FBI said in a cybersecurity advisory released jointly with government agencies from nine other countries.

According to the indictment, the attacks against Ukraine started about one month before Russia’s invasion and involved data-wiping malware called WhisperGate, as well as data theft and subsequent leaking of personal information with the purpose of causing Ukrainian citizens to question the safety of their government’s systems. The attacks targeted critical infrastructure systems, but also government agencies that had no military role, such as those in agriculture, education, science, and emergency services.

The indictment names Yuriy Denisov, a colonel in the Russian military who was the commanding officer for cyber operations in Unit 29155, and four lieutenants who engaged in these operations as part of the same unit: Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, and Nikolay Korchagin. The indictment also names a civilian co-conspirator, Amit Sitgal, who assisted Unit 29155 members by setting up online infrastructure for their operations. Sitgal was previously charged in June in connection with the same attacks.

In addition to the charges, the US State Department is offering a reward of up to $10 million for any information about the location of the five defendants or about their cyber activities. The reward extends to “information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against US critical infrastructure.”

GRU Unit 29155: Specialists in sabotage and assassinations

The Russian GRU has multiple military units that engage in offensive cyber operations. For example, Unit 26165, or the 85th Main Special Service Center (GTsSS), has been engaged in cyber operations since as far back as 2004 and is tracked in the security industry as APT28, Sofacy, Pawn Storm, or Fancy Bear. Meanwhile, Unit 74455, or the Main Center for Special Technologies (GTsST), is tracked as Sandworm, Electrum, or Voodoo Bear and has been active since at least 2009. This team is particularly well known for its capability to attack critical infrastructure, including destructive cyberattacks against the Ukrainian power grid in 2015, 2016, and 2022 that resulted in blackouts.

By comparison, Unit 29155’s expansion into offensive cyber operations appears to be much more recent, being first observed in 2020. According to the FBI, NSA, and CISA, this unit, officially known as the 161st Specialist Training Center, has traditionally been responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.

While the other two more experienced cyber units use bespoke malware, Unit 29155 favors well-known red-teaming techniques coupled with open-source and commercial tools, including vulnerability scanners, network mappers, proof-of-concept exploits copied from GitHub, penetration testing frameworks, public tunneling and proxy software, and more. The custom WhisperGate data wiping malware seems to be an exception in its arsenal, but even that is not exclusively used by Unit 29155.

In addition, Unit 29155 members collaborate with cybercriminals and even maintain accounts on dark web forums to obtain various hacker tools and malware loaders, such as Raspberry Robin and SaintBot, the FBI said.

All of this means there’s a lot of overlap between this group’s tactics, techniques, and procedures (TTPs) and those of other threat groups, which can lead to its operations being misattributed to others. Unit 29155 activities have been tracked in the security industry as Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.

“In addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia,” the FBI alleged in its advisory. “The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises.”

Since early 2022, the main focus of the unit’s cyber operations team has been to disrupt the efforts of other countries to provide aid to Ukraine.

The WhisperGate attacks

WhisperGate is a two-stage ransomware-like malware program that corrupts files and deletes a computer’s master boot record, replacing it with a ransom note that asks for a $10,000 ransom. This leaves the system unable to boot back into the operating system, which is unusual behavior for a ransomware program, but not unheard of.

Using ransomware as a false flag to hide the real source and purpose of an operation is not a new tactic. In fact, it’s hard not to see the similarities between WhisperGate and NotPetya, another faux-ransomware attack launched in 2017 by GRU Unit 74455 (Sandworm) that corrupted the File Master Table.

NotPetya also started in Ukraine with a software supply chain attack against an accounting program that was widely used in the country. However, since it had worming capabilities through the EternalBlue SMB exploit, it spread through the internal networks of multinational companies impacting organizations around the world.

According to the US Department of Justice, the Ukrainian government networks impacted by WhisperGate included the Ukrainian Ministry of Internal Affairs, State Treasury, Judiciary Administration, State Portal for Digital Services, Ministry of Education and Science, Ministry of Agriculture, State Service for Food Safety and Consumer Protection, Ministry of Energy, Accounting Chamber for Ukraine, State Emergency Service, State Forestry Agency, and Motor Insurance Bureau.

The FBI advisory contains detailed TTPs, indicators of compromise, and recommendations for defending against both WhisperGate and Unit 29155 attacks more broadly.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen of the National Security Division. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”