The Communications Security Establishment Canada (CSE) joins the following international partners to release a joint cybersecurity advisory about threat actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
- Communications Security Establishment Canada (CSE)
- Canadian Security Intelligence Service (CSIS)
- U.S. Department of the Treasury
- U.S. Department of State (Rewards for Justice)
- U.S. Cyber Command Cyber National Mission Force (CNMF)
- Netherlands Defence Intelligence and Security Service (MIVD)
- Czech Military Intelligence (VZ)
- Czech Republic Security Information Service (BIS)
- German Federal Office for the Protection of the Constitution (BfV)
- Estonian Internal Security Service (KAPO)
- Latvian State Security Service (VDD)
- Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC)
- United Kingdom National Cyber Security Centre (NCSC-UK)
- Security Service of Ukraine (SBU)
- Computer Emergency Response Team of Ukraine (CERT-UA)
As a collective assessment of Unit 29155 cyber operations since 2020, this advisory alerts the public that these threat actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.
Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.
GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. The FBI, NSA and CISA assess Unit 29155 is responsible for attempted coups, sabotage, and influence operations, and assassination attempts throughout Europe.
This Cybersecurity Advisory (CSA) provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis of the WhisperGate malware initially published in the joint CSA, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022.
For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the U.S. Department of Justice (DOJ) press release, FBI's Cyber Crime webpage, and CISA's Russia Cyber Threat Overview and Advisories webpage.