Russia’s most notorious special forces unit now has its own cyber warfare team
Russia’s military intelligence agency, the GRU, has has long been famous is one of the world’s most prolific saboteurs, assassins, and perpetrators of violent acts. cyber warwith hackers who proudly work under the same banner as violent special forces operators. But a new group within the agency suggests the GRU may be weaving physical and digital tactics more closely than ever before: a group of hackers who emerged from the same unit responsible for some of Russia’s most notorious physical tactics, including poisonings, coup plots, and bombings inside Western countries.
A group of Western intelligence agencies revealed on Thursday that a group of hackers known as Cadet Blizzard, Bleeding Bear, or Greyscale—a group that has launched numerous cyberattacks against Ukraine, the United States, and other countries in Europe, Asia, and Latin America—is actually part of the GRU’s Unit 29155, a division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been linked to the poisoning of former GRU defector Sergei Skripal with the nerve agent Novichok in Britain, which resulted in the deaths of two bystanders, as well as another assassination attempt in Bulgaria, an arms depot explosion in the Czech Republic, and a failed coup attempt in Montenegro.
Now, the infamous GRU unit appears to have developed its own active cyberwarfare operations team—different from those in other GRU units like Unit 26165, widely known as Fancy Bear or APT28and Unit 74455, a cyber-attack-focused group known as SandwormSince 2022, new hackers recruited by GRU Unit 29155 have led cyber operations, including the data-wiping malware known as Whispergate, which attacked Ukrainian organizations on the eve of Russia’s invasion in February 2022, as well as the defacement of Ukrainian government websites and the theft and leaking of information from them under the guise of a fake “hacktivist” known as Free Civilian.
The identification of the Blizzard trainees as part of GRU Unit 29155 shows how the agency is blurring the lines between physical and cyber tactics in its approach to hybrid warfare, according to one of several Western intelligence officials WIRED interviewed, who spoke on condition of anonymity because they were not authorized to speak by name. “Special Forces don’t typically set up a cyber unit that mirrors their physical operations,” said one official. “This is a heavily physical operations unit, tasked with the more brutal acts that the GRU engages in. I find it very surprising that this unit that does these very physical things is now doing cyber stuff from behind a keyboard.”
In addition to its previously known operations against Ukraine, Western intelligence officials told WIRED that the group has also targeted a variety of organizations in North America, Eastern and Central Europe, Central Asia, and Latin America, such as the transportation and health care sectors, government agencies, and “critical infrastructure,” including “energy” infrastructure, though the officials declined to provide more specifics. Officials told WIRED that in some cases, the 29155 hackers appeared to be preparing for more disruptive cyberattacks similar to Whispergate, but there was no confirmation that any such attacks actually took place. The U.S. State Department issued a separate statement in June disclose that the GRU hackers who carried out Whispergate also sought to find hackable vulnerabilities in US critical infrastructure targets, “particularly the energy, government, and aerospace sectors.”
In many cases, the 29155 hackers’ intentions appear to be military espionage, according to Western intelligence officials. In one central European country, for example, they say the group infiltrated a railway agency to spy on trains carrying supplies to Ukraine. In Ukraine itself, they say the hackers tapped into consumer surveillance cameras, presumably to track the movements of Ukrainian troops or weapons. Ukrainian officials have previously warned that Russia has used that tactic to target missile strikes, although intelligence officials who spoke to WIRED have no evidence that 29155’s operation was specifically used for that missile targeting purpose.