Skip to main content

Cadet Blizzard, Bleeding Bear, Callisto, and Greyscale may sound like racehorses, but they are in fact some of the names attributed to a cyber warfare group run by the 161st Specialist Training Centre (aka Unit 29155) of the GRU, Russia’s military intelligence service.

According to wired.com, Unit 29155 is known for its “brazen acts of physical sabotage and politically motivated murder.” It is also behind at least one failed coup attempt (in Montenegro, which included an attempt to assassinate the prime minister).  

Stephen Green
Stephen Green

Threat Intelligence Lead | Cyber Risk

sgreen@thomasmurray.com

But in late August 2024, the United Kingdom's National Cyber Security Centre (NCSC) and its international allies revealed that Unit 29155 is now waging sophisticated cyber operations as well. It is targeting numerous countries with a campaign of digital sabotage and espionage focused on critical infrastructure, government institutions, and private organisations.  

Knocked off the grid 

Unit 29155 has been operating since at least 2008, but was not publicly identified until 2019. The exposure of its cyber warfare team is a key moment in the ongoing battle against state-sponsored cyber threats.  

Although the unit’s aim of creating political instability and social unrest through the spread of misinformation and disinformation is concerning enough, one of the most truly alarming aspects of its activities is its focus on critical infrastructure.  

The unit has reportedly targeted energy grids, transportation systems, and water treatment facilities in several countries. By infiltrating these systems, the unit could cause widespread disruption and chaos as well as endanger public health and safety. 

The methods employed by Unit 29155’s cyber team are sophisticated and diverse. They range from spear-phishing campaigns targeting individuals with access to sensitive information to more complex operations involving the exploitation of software vulnerabilities within popular applications such as Confluence and Microsoft Exchange. The team has a demonstrated ability to rapidly adapt its tactics, making it a particularly challenging adversary for cyber security professionals. The NCSC says that the team is made up of junior active-duty GRU officers, but it differs from other GRU cyber teams like Unit 26165’s (Fancy Bear) and Unit 74455’s (Sandworm) because it also employs civilian threat actors.  

So far, the team’s most notable attack was the deployment of WhisperGate malware in January 2022, which wiped the Master Boot Records (MBR) of Ukrainian systems. The group is also linked to website defacements of Ukrainian organisations and the hack-and-leak Telegram channel “Free Civilian.” 

The NCSC reports that the team has attempted to breach government networks in multiple countries, seeking to steal classified information and potentially disrupt government operations. These actions not only pose a threat to national security but also undermine diplomatic relations and trust between nations. 

The private sector has not been spared either. Companies that the team has particularly targeted are those in strategic industries such as defence, aerospace, and technology. The goal appears to be both industrial espionage and the potential for future sabotage operations. 

What sets this team apart from many other cyber threat actors is its direct connection to the Russian military. It provides Cadet Blizzard with significant resources and protection, allowing it to operate with a level of impunity that most cybercrime organisations cannot match. The involvement of a nation-state in such activities raises serious concerns about the potential for escalation in cyber conflicts and the blurring of lines between cyber warfare and traditional military operations. 

Cyber-attacks allow for a high degree of anonymity and the ability to conduct false flag operations, making definitive attribution a complex task for the investigating authorities.  

Despite this, and as the unmasking of Cadet Blizzard demonstrates, the collaborative efforts of intelligence agencies and cyber security firms have made significant strides in identifying and exposing state-sponsored cyber threats. The global response to these revelations has been swift and coordinated, with the imposition of sanctions on individuals and entities that are aimed at disrupting the GRU’s ability to conduct further attacks. 

A(nother) wake-up call 

The latest revelations about the GRU’s cyber activities serves as a wake-up call for organisations and governments worldwide. They highlight the need for enhanced cyber security measures, increased international cooperation in combating cyber threats, and further consideration on how these attacks apply to the laws of armed conflict, particularly in relation to guidance given in the Tallinn Manual

For individual organisations, the threat posed by groups like Cadet Blizzard underscores the importance of robust cyber security practices. This includes (but is not limited to):  

  • Reinforcing existing regulations and cyber security policies.  
  • Developing and implementing a plan for responding to cyber incidents.  
  • Establishing and maintaining comprehensive incident response plans.  
  • Proactively testing networks to identify and address vulnerabilities.  
  • Gaining a thorough understanding of network architecture and functions.  
  • Continuously reviewing and assessing risk exposure.  
  • Understanding the security implications of the supply chain.  
  • Sharing information on cyber-attacks and threats.  
  • Fostering cooperation in technologies and infrastructure.  
  • Encouraging collaboration between public and private institutions.   

We can help you with all aspects of preparing for a cyber-attack, whether it is a direct hit or through your supply chain. From threat intelligence to incident preparedness and response, to eDiscovery and advisory services, we can ensure that your organisation is ready to face whatever cyber challenges come your way. Talk to us to find out more. 

Cyber Risk

Cyber Risk

We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.

Learn more
Thomas Murray cyber alerts

Thomas Murray cyber alerts

Subscribe to stay up to date with developing threats in the cyber landscape