Unit 29155
Country: Russia Organization: Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) Objective: Espionage, Sabotage, Assassinations, Influence Operations (Page last updated: September 07, 2024)
Aliases:
- Bleeding Bear (superseded by Ember Bear)
- Cadet Blizzard (Microsoft)
- DEV-0586 (formerly used by Microsoft)
- Ember Bear (CrowdStrike, MITRE)
- FROZENVISTA (Google TAG)
- Lorec53 (NSFOCUS)
- Nascent Ursa (Unit 42?)
- Nodaria (Symantec)
- SaintBear ( Malpedia, ETDA)
- UNC2589 (Mandiant)
- UAC-0056 (CERT-UA, Unit 42)
Identified Members
- Amin Timovich Stigal (Амин Стигал), Russian civilian hacker:
- Yuriy Fedorovich Denisov (Юрий Денисов), Colonel and Commanding Officer of Cyber Operations for Unit 29155:
- Vladislav Yevgenyevich Borovkov (Владислав Боровков), lieutenant in Unit 29155:
- Denis Igorevich Denisenko (Денис Денисенко), lieutenant in Unit 29155:
- Dmitriy Yuryevich Goloshubov (Дима Голошубов), lieutenant in Unit 29155:
- Nikolay Aleksandrovich Korchagin (Николай Корчагин), lieutenant in Unit 29155:
Vulnerabilities Exploited
- CVE-2017-11882 (7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Unit 42
The following 5 vulnerabilities have the same source: CISA
- CVE-2021-33044 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
- CVE-2021-33045 (9.8 critical, in CISA's KEV Catalog) Dahua IP Camera Authentication Bypass Vulnerability
- CVE-2022-26134 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
- CVE-2022-26138 (9.8 critical, in CISA's KEV Catalog) Atlassian Questions For Confluence App Hard-coded Credentials Vulnerability
- CVE-2022-3236 (9.8 critical, in CISA's KEV Catalog) Sophos Firewall Code Injection Vulnerability
Exploitation Likely
CISA and co-authoring agencies warned on 06 September 2024 that Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for the following 5 vulnerabilities:
- CVE-2020-1472 (9.8 critical, in CISA's KEV Catalog) Microsoft Netlogon Privilege Escalation Vulnerability
- CVE-2021-26084 (9.8 critical, in CISA's KEV Catalog) Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
- CVE-2021-3156 (7.8 high, in CISA's KEV Catalog) Sudo Heap-Based Buffer Overflow Vulnerability
- CVE-2021-4034 (7.8 high, in CISA's KEV Catalog) Red Hat Polkit Out-of-Bounds Read and Write Vulnerability
- CVE-2022-27666 (7.8 high) Red Hat: IPSec ESP Local Privilege Escalation Vulnerability
Tactics, Techniques, and Procedures
Mapped to MITRE ATT&CK Navigator Layers
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- September 06, 2024 – ASD ACSC: Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure
- September 05, 2024 – CISA: Russian Military Cyber Actors Target US and Global Critical Infrastructure, available as PDF
- September 05, 2024 – U.S. Department of Justice:
- Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
- Indictment: United States of America v. Amin Stigal, Vladislav Borovkov, Denis Denisenko, Yuriy Denisov, Dmitriy Goloshubov, and Nikolay Korchagin
- Assistant Attorney General Matthew G. Olsen Delivers Remarks Announcing Charges Against Russian Military Officers
- September 05, 2024 – NSA: NSA, FBI, CISA, and Allies Issue Advisory about Russian Military Cyber Actors
- September 05, 2024 – U.S. State Department: Up to $1 Million Reward Offer for Information Leading to Arrest and/or Conviction of Russian National Tim Vakhaevich Stigal
- September 05, 2024 – Rewards for Justice: GRU Officers –Unit 29155
- September 05, 2024 – NCSC-UK: UK and Allies uncover Russian military unit carrying out cyber attacks and digital sabotage for the first time
- September 05, 2024 – BfV (Germany): Joint Cybersecurity Advisory on Russian Military Cyber Actors targeting U.S. and Global Critical Infrastructure
- September 05, 2024 – KAPO (Estonia): A GRU military unit launched cyberattacks against Estonian authorities
- September 05, 2024 – Estonia Prosecutor's Office: A GRU military unit launched cyberattacks against Estonian authorities
- September 05, 2024 – Estonia Ministry of Foreign Affairs (MFA): Estonia names Russia’s military intelligence in a first-ever attribution of cyberattacks
- September 05, 2024 – The Netherlands Military Intelligence and Security Service (MIVD): MIVD waarschuwt: Russen hebben het gemunt op westerse hulp aan Oekraïne (Dutch)
- September 05, 2024 – CCCS: Russian military cyber actors target U.S. and global critical infrastructure
- June 26, 2024 – U.S. Department of Justice: Russian National Charged For Conspiring With Russian Military Intelligence To Destroy Ukrainian Government Computer Systems And Data (Amin Stigal)
2023
- June 14, 2023 – Microsoft: Cadet Blizzard emerges as a novel and distinct Russian threat actor
- February 16, 2023 – Google TAG: Fog of war: how the Ukraine conflict transformed the cyber threat landscape (PDF)
- February 08, 2023 – Symantec: Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine
2022
- December 05, 2022 – Elastic: Operation Bleeding Bear
- July 20, 2022 – USCYBERCOM: Cyber National Mission Force discloses IOCs from Ukrainian networks
- July 20, 2022 – Mandiant: Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities
- July 13, 2022 – Malwarebytes: Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign
- July 11, 2022 – CERT-UA: Attack by UAC-0056 group on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4941) (Ukrainian)
- July 06, 2022 – CERT-UA: Cyber attack UAC-0056 on state organizations of Ukraine using Cobalt Strike Beacon (CERT-UA#4914) (Ukrainian)
- April 26, 2022 – CERT-UA: UAC-0056 group cyber attack using GraphSteel and GrimPlant malware and the topic of COVID-19 (CERT-UA#4545) (Ukrainian)
- April 25, 2022 – Bitdefender: Deep Dive into the Elephant Framework – A New Cyber Threat in Ukraine
- April 04, 2022 – Intezer: Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations
- April 04, 2022 – NioGuard: Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
- April 01, 2022 – Malwarebytes: New UAC-0056 activity: There’s a Go Elephant in the room
- March 30, 2022 – CrowdStrike: Who is EMBER BEAR?
- March 28, 2022 – CERT-UA: Cyber attack of the UAC-0056 group on the state bodies of Ukraine using GraphSteel and GrimPlant malware (CERT-UA#4293) (Ukrainian)
- March 15, 2022 – SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software
- March 04, 2022 – Mandiant: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation
- February 25, 2022 – Unit 42: Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
- February 21, 2022 – NSFOCUS: APT Lorec53 group launched a series of cyber attacks against Ukraine
- February 08, 2022 – NSFOCUS: APT Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government
- February 02, 2022 – CERT-UA: Cyber attack of the UAC-0056 group on state organizations of Ukraine using SaintBot and OutSteel malware (CERT-UA#3799) (Ukrainian)
- January 20, 2022 – Unit 42: Threat Brief: Ongoing Russia and Ukraine Cyber Activity
- January 17, 2022 – Picus: TTPs used by DEV-0586 APT Group in WhisperGate Attack Targeting Ukraine
- January 16, 2022 – NCSCC-UA on Twitter: Operation #BleedingBear
- January 15, 2022 – Microsoft: Destructive malware targeting Ukrainian organizations
2021
- November 28, 2021 – NSFOCUS: 2021 Analysis Report on Lorec53 Group (PDF)
- April 06, 2021 – Malwarebytes: A deep dive into Saint Bot, a new downloader (origin of SaintBear?)