Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
A joint cybersecurity advisory detailing Russian cyber actors affiliated with the General Staff Main Intelligence Directorate (GRU) Unit 29155 targeting critical infrastructure worldwide.
Introduction
On September 5, 2024, the Federal Bureau of Investigation (FBI), along with the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and international partners, released a joint cybersecurity advisory detailing Russian cyber actors affiliated with the General Staff Main Intelligence Directorate (GRU) Unit 29155 targeting critical infrastructure worldwide. These cyber actors have been conducting computer network operations since 2020, with the most recent known activity linked to destructive malware attacks against Ukraine.
The advisory warns that Unit 29155, a specialist training center of the GRU, has deployed tactics, techniques, and procedures (TTPs) designed for espionage, sabotage, and reputational harm against NATO members, European Union nations, and countries in Latin America and Central Asia.
The cyber operations conducted by Unit 29155 were first detected following the deployment of WhisperGate malware against Ukrainian organizations in January 2022. WhisperGate is a destructive malware that corrupts the master boot record of targeted systems, displaying a fake ransomware note and encrypting files. The joint advisory highlights that this Russian unit has been operational since at least 2020, focusing on strategic targets with the intent to gather intelligence and destabilize critical infrastructure.
The cyber actors have employed a wide range of tools and techniques to gain unauthorized access, conduct reconnaissance, and exploit vulnerabilities in targeted systems. Publicly available scanning tools, such as Acunetix and Nmap, have been used to identify open ports and services, while malware such as WhisperGate was deployed to initiate data destruction.
Additionally, Unit 29155 cyber actors leveraged vulnerabilities like CVE-2021-33044 and CVE-2022-26134 to exploit IP cameras and internet-facing Confluence servers. Their operational infrastructure included virtual private servers (VPSs), which masked their true locations, allowing them to operate under the radar.
Insights and Analysis
The advisory stresses the severe implications of these cyber activities. Over 14,000 instances of domain scanning by the GRU actors have been recorded across 26 NATO members. These operations have resulted in data exfiltration, website defacement, and significant disruptions to key sectors, including energy, financial services, transportation, and healthcare. Furthermore, the advisory notes that these actors have actively sought to disrupt international support for Ukraine by targeting organizations involved in aid efforts.
To mitigate the threat posed by Unit 29155, the advisory strongly recommends immediate actions, including:
- System Updates: Prioritize routine system updates and the remediation of known vulnerabilities.
- Network Segmentation: Implement network segmentation to prevent lateral movement within compromised systems.
- Phishing-resistant Multi-factor Authentication (MFA): Enable MFA for all externally facing services, particularly those involving critical systems.
- Logging and Monitoring: Deploy continuous system monitoring tools, such as SIEM or EDR, to detect and respond to abnormal activities.
This advisory serves as a stark reminder of the ongoing cyber threats from Russian state-sponsored actors targeting global critical infrastructure. Organizations are urged to review the recommended mitigations and stay vigilant against evolving TTPs to safeguard their systems.
Indicators of Compromise (IOCs)
No specific Indicators of Compromise (IOCs) were provided in the source material.
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Exploiting vulnerabilities in publicly accessible applications. |
| Discovery | Network Service Discovery | T1046 | Using tools to discover internal network services once inside a victim network. |
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 | Dumping LSASS memory to retrieve credentials from victim machines. |
| Persistence | Server Software Component: Web Shell | T1505.003 | Using web shells to maintain persistent access to systems. |
| Defense Evasion | Valid Accounts: Default Accounts | T1078.001 | Using default credentials to access compromised systems. |
| Lateral Movement | Pass the Hash | T1550.002 | Using Pass-the-Hash to authenticate via SMB on compromised systems. |
| Exfiltration | Exfiltration Over Web Service: Cloud Storage | T1567.002 | Exfiltrating data to cloud storage services such as mega[.]nz using tools like Rclone. |
| Command and Control | Proxy: Multi-hop Proxy | T1090.003 | Routing traffic through multiple proxy hops to conceal operational activity. |
| Impact | Data Destruction | T1485 | Destroying data as part of sabotage operations using malware like WhisperGate. |
References
Comments ()