Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

Unit 29155 of Russia’s GRU military intelligence agency—a team responsible for coup attempts, assassinations, and bombings—has branched out into brazen hacking operations with targets across the world.
A collage showing a service member working among the ruins of destroyed houses in Ukraine and a video still of a target...
PHOTO-ILLUSTRATION: WIRED STAFF; GETTY IMAGES

Russia's military intelligence agency, the GRU, has long had a reputation as one of the world's most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia's most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU's Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of a bystander, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155's more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia's February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

Cadet Blizzard's identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren't authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved in. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

In addition to the joint public statement revealing Cadet Blizzard's link to the GRU's unit 29155, the US Cybersecurity and Infrastructure Security Agency published an advisory detailing the group's hacking methods and ways to spot and mitigate them. The US Department of Justice indicted five members of the group by name, all in absentia, in addition to a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” the US Justice Department's assistant attorney general Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Justice Department will use every available tool to disrupt this kind of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive targeting of the United States and our allies.”

The US State Department also posted a $10 million reward for information leading to the identification or location of members of the group, along with their photos, to its Rewards for Justice website.

A State Department poster offering $10 million for information leading to the identification or location of the five GRU unit 29155 hackers.Courtesy of the US State Department

Beyonds its previously known operations against Ukraine, Western intelligence agency officials tell WIRED that the group has also targeted a wide variety of organizations in North America, Eastern and Central Europe, Central Asia, and Latin America, such as transportation and health care sectors, government agencies, and “critical infrastructure” including “energy” infrastructure, though the officials declined to offer more specific information. The officials told WIRED that in some cases, the 29155 hackers appeared to be preparing for more disruptive cyberattacks akin to Whispergate, but didn't have confirmation that any such attacks had actually taken place.

The US Department of State in June separately revealed that the same GRU hackers who carried out Whispergate also sought to find hackable vulnerabilities in US critical infrastructure targets, “particularly the energy, government, and aerospace sectors.” The DOJ's newly unsealed indictment against the 29155 hackers alleges they probed the network of a US government agency in Maryland 63 times—though without revealing whether any such probes were success—as well as searching for vulnerabilities in the networks of targets in no fewer than 26 NATO countries.

In many cases, the 29155 hackers' intention appeared to be military espionage, according to Western intelligence agency officials. In a Central European country, for instance, they say the group breached a railway agency to spy on train shipments of supplies to Ukraine. In Ukraine itself, they say, the hackers compromised consumer surveillance cameras, perhaps to gain visibility on movement of Ukrainian troops or weapons. Ukrainian officials have previously warned that Russia has used that tactic to target missile strikes, though the intelligence officials who spoke to WIRED didn't have evidence that 29155's operations specifically had been used for that missile targeting.

The Western intelligence agency sources say that GRU Unit 29155's hacking team was formed as early as 2020, though until recent years it primarily focused on espionage rather than more disruptive cyberattacks. The creation of yet another hacking group within the GRU might seem superfluous, given that the GRU's preexisting teams units such as Sandworm and Fancy Bear have long been some of the world's most active and aggressive players in cyber warfare and espionage. But Western intelligence agency officials say that Unit 29155 was likely driven to seek its own specialized hacking team due to internal competition within the GRU, as well as the group's growing clout following the perceived success of its operations—even the botched Skripal assassination attempt. “The Skripal poisoning gave them a lot of attention and a lot of mandate,” one official says. “We assess it’s very likely that’s resulted in them getting a lot of more funds and the resources to attract the capability to start a cyber unit. Success is measured differently in the Western world and Russia.”

According to the Western intelligence officials who spoke to WIRED, the 29155 hacking group is composed of just 10 or so individuals, all of whom are relatively young GRU officers. Several individuals participated in hacking “Capture the Flag” competitions—competitive hacking simulations that are common at hacker conferences—prior to joining the GRU, and may have been recruited from those events. But the small team has also partnered with Russian cybercriminal hackers in some cases, the officials say, expanding their resources and in some instances using commodity cybercriminal malware that has made its operations more difficult to attribute to the Russian state.

One example of those criminal partnerships appears to be with Amin Timovich Stigal, a Russian hacker indicted by the US in absentia in June for allegedly aiding in Cadet Blizzard's Whispergate attacks on the Ukrainian government. The US State Department has also issued a $10 million reward for information leading to Stigal's arrest.

In addition to reliance on criminal hackers, other signs of Cadet Blizzard's level of technical skill appear to fit with intelligence officials' description of a small and relatively young team, according to one security researcher who has closely tracked the group but asked not to be named because they weren't authorized by their employer to speak about their findings. To gain initial access to target networks, the hackers largely exploited a handful of known software vulnerabilities and didn't use any so-called zero-day vulnerabilities—previously unknown hackable flaws—according to the researcher. “There’s probably not a lot of hands-on experience there. They’re following a very common operating procedure,” says the researcher. “They just figured out the exploit du jour that would give them the most mileage in their chosen domains, and they stuck with it.” In another instance of the group's lack of polish, a map of Ukraine that had been included in their defacement images and posted to hacked Ukrainian websites included the Crimean peninsula, which Russia has claimed as its own territory since 2014.

Sophistication aside, the researcher also notes that the 29155 hackers in some cases compromised their targets by breaching IT providers that serve Ukrainian and other Eastern European firms, giving them access to victims' systems and data. “Instead of kicking the front door down, they’re trying to blend in with legitimate trusted channels, trusted pathways into a network,” the researcher says.

The security researcher also notes that unlike hackers in other GRU units, Cadet Blizzard appears to have been housed in its own building, separate from the rest of the GRU, perhaps to make the team harder to link to the Unit 29155 of which they're a part. Combined with the group's command structure and criminal partnerships, it all suggests a new model for the GRU's approach to cyber warfare.

“Everything about this operation was different,” the researcher says. “It’s really going to pave the way for the future of what we see from the Russian Federation.”

Update 9/6/2024 3:05pm ET: This story has been updated to reflect that the attempted poisoning Sergei Skripal led to the death of one bystander rather than two.