According to a joint cybersecurity advisory report issued on Friday, the cyberattacks were undertaken by a group tied to Unit 29155 of the GRU.
Previously, the same unit has been blamed for an explosion at an ammunition site in 2014 in Vrbětice, deep in the Czech Republic’s southeast, as well as “attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.”
However, in 2020, Unit 29155 expanded its portfolio “to include offensive cyber operations.”
Among other objectives, this offshoot group was used to collect information for espionage, cause reputational harm by stealing and leaking sensitive information, and destroying data.
“Unit 29155 cyber actors [are assessed] to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership,” said the report.
“These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions,” it continued. Additionally, the report assessed that non-GRU officers had also been recruited, including known cybercriminals.
The unit is believed to be responsible for unleashing WhisperGate, a multi-stage wiper that has been deployed against the Ukrainian government, non-profit and tech organizations since January 2022.
In addition to launching WhisperGate against Ukraine, the group has also targeted NATO states as well as countries in Latin America and Central Asia with its activity, including website defacements, infrastructure scanning, data exfiltration, and data leak operations.
“Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine,” the report revealed.
Furthermore, over 14,000 cases of domain scanning had also been recorded, with these impacting 26 NATO members and several other EU nations.
“Whether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors, including government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries,” said the report.
Led by the FBI, the investigative operation also involved teams from Britain, Australia, Canada, Germany, the Netherlands, Estonia, Latvia, and the Czech Republic.
Together, their joint findings have enabled the Cybersecurity Advisory to develop tactics, techniques, and procedures to thwart further actions by Unit 29155.
