Russian GRU’s 161st Specialist Training Center, also known as Unit 29155, has been implicated in a range of cyber sabotage and espionage operations across the globe. A joint advisory issued by the US government and its allies has linked the unit to the deployment of destructive malware, most notably WhisperGate, which targeted Ukraine by wiping the Master Boot Record (MBR) of computers. This marks the first confirmed instance of Unit 29155’s involvement in offensive cyber operations, after previously being connected to foreign assassinations and destabilization activities in Europe.
Unit 29155 had been under scrutiny for years, particularly after the attempted assassinations of Bulgarian arms dealer Emilian Gebrev in 2015 and former GRU Colonel Sergei Skripal in 2018, both incidents tied to the group by investigative outlet Bellingcat. However, new evidence points to the unit’s growing role in global cyber operations. According to the advisory, the group’s activities are focused on cyberespionage, data exfiltration, and sabotage, often involving the theft and public leakage of sensitive information. Unit 29155 operates with a mixture of junior GRU officers and non-GRU actors, including known cybercriminals.
The US Justice Department has also announced charges against Russian national Amin Timovich Stigal, a key figure tied to the GRU, for his role in hacking and destroying computer systems and data. The indictment reveals that, even before Russia’s full-scale invasion of Ukraine, Unit 29155 targeted Ukrainian government systems as well as computer networks in countries supporting Ukraine, including the United States. Stigal remains at large, with wanted bulletins issued for him and five other Unit 29155 cyber actors.
Unit 29155’s global cyber operations extend beyond Ukraine, with the FBI documenting over 14,000 instances of domain scanning across NATO and European Union countries. The group has also been linked to website defacements, infrastructure scanning, and the posting of exfiltrated data on public websites. The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to implement system updates, network segmentation, and phishing-resistant multi-factor authentication to guard against these threats.
Reference:
