“UNIT 29155” Russia Notorious Special Unit Secret Intelligence agencies, hacker attacks, GRU, Microsoft, and EU
Introduction
I assume most of you, like me, have seen or read about the discussion between the two contenders for President of the United States, Trump vs. Harris. It was a vigorous debate, with low and dirty punches below the belt, as the saying goes in boxing.
But one thing is certain, and it has not gone unnoticed: without secret and intelligence services engaged and operating at full capacity, such debates, particularly those involving the US presidential elections, cannot take place.
These days, one should anticipate cyber-attacks from all directions. Given the interest of all parties involved, it’s important to acknowledge that public domains often contain warnings about misinformation or disinformation.
Germany
A few days ago, the German domestic intelligence agency issued a warning regarding a cybernetic group that was part of the Russian military intelligence service’s unit 29155.
The group claimed to have conducted cyberattacks against nations that are members of NATO and the European Union.
Germany’s Federal Security Service (Bundesamt fur Verfassungsschutz) posted on Platform X that the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and other international partners had issued a warning against the group known as UNC2589.
This warning comes at a time when worries about Russian hackers and spies’ operations are spreading throughout Europe and the rest of the world.
Cyber Attacks
Berlin had earlier this year accused Moscow of carrying out a string of hacking assaults against the ruling Social Democrats in Germany, as well as IT, defence, logistics, and aerospace firms.
The intelligence service warned that the organisation, also known as Ember Bear or Cadet Blizzard, engages in sabotage and espionage actions, frequently disclosing stolen material and vandalising websites.
He was a member of the GRU group, which came to light in 2018 when it was believed to have poisoned former Russian double agent Sergei Skripal and his daughter Yulia in the United Kingdom.
“Unit 29155“
Up until now, “Unit 29155” has been associated with sabotage and poisoning attacks.
According to reports from US officials and the German Office for the Protection of the Constitution, the force is also responsible for widespread hacking attacks.
Although the targets were very different, all evidence points to the same Russian secret service unit: following the poisoning of former Russian agent Sergei Skripal in the UK and the attempted assassination of Bulgarian arms manufacturer Emilian Gebre, it became evident that agents from “units 29155” were responsible.
It might also be the cause of the unsettling “Havana Syndrome.”
According to travel and telephone records, the research team found that members of GRU Unit 29155 were on the scene during many of the attacks that resulted in the “Havana Syndrome.” They could specifically use electromagnetic or acoustic weapons.
You can read or listen to the audio episode where I discuss “Havana syndrome” in one of my previous posts.
Established in 2009, the unit, a part of Russia’s GRU military intelligence arm, is considered Putin’s strike force. They accuse this unit of carrying out killings and explosive attacks to install terror and instability in the West.
Now, intelligence services have revealed that “Unit 29155” is also responsible for the cyber-attacks.
“Whisper Gate”
This means that the organisation is responsible for a significant wave of malware attacks on Ukrainian systems known as “WhisperGate.”
The FBI, NSA, and the US cyber security agency CISA released this report. The research compiles the results of multiple Western intelligence agencies.
The analysis also incorporates data from the German Federal Office for the Protection of the Constitution.
The USA simultaneously issued public indictments against five GRU members.
Their intention was to destabilise Ukraine in the run-up to the Russian invasion in 2022 by sabotaging computer systems.
Among other targets of the “WhisperGate” campaign were the computers of the Ukrainian Ministry of Foreign Affairs and the official digital services platform.
The hackers also stole private information from Ukrainian national patient records. Additionally, they uploaded a message.
According to recent disclosures from Western intelligence agencies, “Unit 29155” has been operational in the cyber domain since 2020, with a primary focus on critical infrastructure systems.
The team reportedly launched attacks against several NATO institutions, but it was initially unclear if the operations were successful.
APT28 Group
In January of last year, hackers targeted German SPD email accounts. The federal authorities “clearly” blamed Russia for this and promised penalties.
In June 2023, the SPD reported that a cyber attack in January targeted the SPD executive’s email accounts. A security hole in Microsoft’s software, undisclosed at the time of the attack, made this possible.
This attack was attributed to the APT28 group.
APT28 became well-known after the attack on the Bundestag.
The German Office for the Protection of the Constitution states that the APT28 group has been operating since at least 2004 on a global scale, mainly in the area of cyberespionage.
It was also “among the most active and dangerous cyber actors in the world,” having previously spearheaded disinformation and propaganda campaigns.
It is evident that APT28 is a product of the Russian military intelligence agency GRU.
The attack on the SPD was part of a larger operation in which the Office for the Protection of the Constitution, the Federal Intelligence Service, and the Military Counterintelligence Service—all of Germany’s secret services—were involved in federal government investigations.
According to current information, the SPD attack is part of the APT28 campaign, which targets government agencies and companies operating in the energy, IT, defense, or aerospace sectors across several European countries.
Break into Microsoft
Last year, cyber-security agencies overseen by the White House issued a series of criticisms and warnings against tech giant Microsoft, claiming that hackers linked to Moscow and Beijing were able to exploit flaws in the company’s systems, particularly those related to email, allowing them to steal documents and information from US officials.
An omission of this magnitude is a serious incident in and of itself, but the involvement of hackers, who, according to American cyberexperts, work for or with the cooperation of China and Russia, exacerbates the problem.
China, a previous ally, is now likely Washington’s biggest and most important rival in terms of technology, economics, and military might. Russia, on the other hand, is America’s “old” Cold War foe, with whom it has “warred” for decades in a variety of ways, including by stealing mutual data and in politics.
Given that millions of people worldwide, including numerous US departments, agencies, and services, rely on the technological behemoth’s services, it is understandable why the US agencies in charge of cyber-security were so forthright in their criticism.
Complexity is one of security’s main “enemies.”
Microsoft’s global partners and users may indicate security “holes” given its size and variety of services.
Partners with different levels of privilege may, willingly or unknowingly, serve as a “gateway” for hostile actors to “get” deeper into the system.
Furthermore, literally millions of users—including US government employees—use the company’s services, many of whom likely lack the necessary training for safe use. This increases the likelihood of infiltration.
While security and reputational damage are the primary concerns in the Microsoft hacking case, it is undeniable that these intrusions, if indeed executed by hackers with ties to Beijing and Moscow, signify a significant increase in the current state of international cyberwarfare.
These intrusions also impart valuable insights: if large corporations such as Microsoft, relying on millions of individuals and institutions worldwide for their security measures, succumb to such a severe cyberattack, it could lead to two potential outcomes.
- One significant issue is that Microsoft’s standards are not as high as previously believed.
- The second, and equally concerning, is that hackers possess the technological means and aptitude to breach the networks of one of the world’s wealthiest and safest corporations.
It is reasonable to assume that hackers will take inspiration from these types of operations and use that knowledge to launch ever riskier and more sophisticated assaults.
Given that cybersecurity incidents are getting more serious every day, businesses and agencies must recognise that cybersecurity is a never-ending battle and that they must continuously adapt and upgrade their defence systems to stay one step ahead of ever-increasing threats.
This post was written by Mario Bekes