Unit 29155 is assessed to have targeted organisations to collect information for espionage purposes, caused reputational harm by the theft and leaking of sensitive information, defaced victim websites and undertaken systematic sabotage caused by the destruction of data.
It is the first time the UK has publicly exposed Unit 29155, also designated as 161st Specialist Training Centre, as being responsible for carrying out malicious cyber activity, which it has undertaken since at least 2020.
Since 2022, the group’s overall aim seems to have been to target and disrupt efforts to provide aid to Ukraine. Today, the UK and allies can confirm that it was Unit 29155 specifically that was responsible for deploying the Whispergate malware against multiple victims across Ukraine prior to Russia’s invasion in 2022.
To prevent these malicious activities impacting UK organisations, the NCSC strongly advises network defenders to follow the recommended actions set out in the advisory to bolster their cyber resilience.
Paul Chichester, NCSC Director of Operations, said:
“The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities.
“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so.
“The NCSC strongly encourages organisations to follow the mitigation advice and guidance included in the advisory to help defend their networks.”
The advisory says the Unit, which is assessed to be made up of junior active-duty GRU officers, also relies on non-GRU actors, including known cyber criminals and enablers to conduct their operations. The group differs to more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
The NCSC has previously exposed details about malware operations used by cyber actors from Russia’s military intelligence to target the Ukrainian military and also called for organisations to take action following Russia’s attack on Ukraine.
In May 2022, the UK and allies attributed the use of Whispergate malware in Ukraine to Russia’s military intelligence service but this new advisory goes further by attributing its deployment specifically to Unit 29155.
