Linked to the Russian military intelligence (GRU), and allegedly associated with foreign assassinations, sabotage, espionage, and other cyber attacks, Unit 29155 is waging a hybrid destabilization war across Europe, Ukraine, the U.S., and the Western allies.
As U.S. intelligence agencies release a new joint advisory, Techopedia talked with cybersecurity experts to learn what Unit 29155 is all about, how the group is connected to recent sabotage acts in Europe ranging from arson to disinformation, and why the Kremlin thinks digital dependence is the weak point of the West.
FBI, NSA, and CISA Tracking Unit 29155 Issue Warning
On September 5, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) — through a joint advisory — warned organizations about the technology, tactics, and techniques that Unit 29155 has mastered to carry out their attacks.
According to the FBI, and CISA, Unit 29155 is a group of threat actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center. This unit operates separately from other infamous GRU-affiliated groups, such as Unit 26165 and Unit 74455.
Unit 29155 is responsible for attacks against global targets and the U.S., including espionage, sabotage, and reputational harm. The group has been in operation since at least 2020. In 2022 Unit 29155 deployed the malware WhisperGate against multiple Ukrainian victim organizations.
The FBI says the group is also responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.
The Russian Strategy of ‘Western Digital Dependence’
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, a code security platform company, told Techopedia that Russians believe the Western countries’ dependence on digital infrastructure is their weakness.
“The Russians recognize that the Achilles heel of NATO nations is their dependence on cyberspace, and thus they are launching widespread destructive cyberattacks against western critical infrastructures.”
Kellerman warned that these types of attacks are part of a larger hybrid warfare which can lead to violence and death.
“This warning should serve as a harbinger of destructive hybrid attacks this fall wherein kinetic impact will manifest. Lives will be lost.”
The Hybrid War Against NATO and the West
For the past months, Russia has avoided direct violent confrontations with NATO to prevent a dangerous escalation and a wider war. However, through arson attacks and misinformation campaigns that fuel violent protests, Russia has allegedly brought hybrid war into European territories.
The burning down of a London warehouse in March this year, a shopping center in flames in Warsaw in May, arrests in Germany of several people sus[pected of planning terrorism and arson attacks in April this year, and other violent incidents have all been identified as part of Russia’s hybrid war in Europe.
Kellermann, from Contrast Security, spoke to Techopedia about the issue.
“In 2013, General Gerasimov gave an infamous speech about the weaknesses of the West due to our dependence on technology and public opinion,” Kellerman said.
“Since that dark day, Russia has used cybercriminals as mercenaries-proxies in exchange for untouchable status from Western law enforcement.”
Russia Prisoners Sway Exposes Value of Hackers for the Kremlin
In August 2024, in a major prisoner exchange between Russia and the West, several Russian spies and intelligence operatives returned to Moscow.
Vadim Konoshchenok, 48, accused of smuggling hundreds of thousands of illicit munitions from the U.S to Russia, along with Vladislav Klyushin, 43, sentenced in Boston to nine years in prison for cybercrimes, and Roman Seleznev, 40, convicted hacker and credit card fraudster, were among those included in the deal.
Kellermann from Contrast Security told Techopedia that the recent prisoner exchange proves how valuable an asset cybercriminals are for Putin.
“These cybercrime cartel leaders are seen as a national asset by Putin.”
Kellerman said that the U.S. has overestimated Putin as a rational actor — “which he is not”. He added that it’s time for targeted governments to respond to fire with fire.
“We have been playing defense for too long. It is time NATO launched proportional disruptive cyberattacks against Russian critical infrastructure.
“The U.S. created the international laws governing cybercrime and had been reticent to break them even in self-defense due to established norms and our dependence on technology fearing escalation.”
Unit29155: Attack Technologies and Techniques
The FBI, CISA, and NSA joint advisory technical document examines in detail the use of technologies by Unit29155. The group leverages open source and public tools which are commonly used by red teams, ethical hackers, and penetration testers.
The group breaches devices through Common Vulnerabilities and Exposures (CVEs). As the software industry releases new apps, software, and OS versions with more speed, exploitable CVEs have become a popular vector of attack.
Targeting CVEs requires a higher skill and technical level but prevents the hassles that other types of vectors like phishing or social engineering present.
Once inside a system or device, Unit 29155 seeks to establish persistence — remaining undetected in infrastructure for long periods of time, months or even years.
The group is also known for loading destructive wipers and malware such as WhisperGate, which it has already unleashed against Ukraine.
The FBI warns that Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia.
Unit 29155 will deface websites, run back-end and forward-facing infrastructure asset and vulnerability scans, steal data, and leak or sell it underground in the dark web.
Known targets include critical infrastructure and key resource sectors, government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the E.U., Central American, and Asian countries.
Kellerman told Techopedia that the new joint advisory underscores an escalation of punitive destructive cyberattacks which will have a kinetic impact.
“Many more zero-days will be unleashed to deploy wipers. Companies must appreciate that they are on the front lines now and invest more heavily in proactive cybersecurity technologies like ADR [Advanced Detection and Response], threat hunting, and XDR [Extended Detection and Response].”
Erich Kron, Security Awareness Advocate at KnowBe4, a company helping organizations strengthen their cybersecurity culture, told Techoedia that cyber operations are a part of modern geopolitics as much as, or more than, traditional espionage and spy techniques have been in the past.
“While cyberattacks against critical infrastructure are certainly concerning, it is even more concerning to imagine that adversaries could gain access to systems without our knowledge and remain hidden.
“Organizations should ensure they are keeping track of the latest Indicators of Compromise (IoCs), educating employees about the potential to be targeted for attacks, and ensuring that technical controls are in place to monitor the potential for network infiltration and data exfiltration,” Kron said.
The Bottom Line
Global cyber operations supported by nation-state actors, and specifically by Russia, are nothing new. But the escalation of violent actions in Europe is undoubtedly a serious concern which leaves many wondering how far is Putin willing to go.
The FBI, the NSA, and CISA highlight the role of Unit 29155, and their techniques. CISOs, security teams, and leaders should prepare their organizations in line with the mitigations and recommendations released by CISA, the FBI, and the NSA.