US posts indictments, rewards in Russia’s WhisperGate hacks against Ukraine

Federal agencies continued to confront Russian cyber-operations on Thursday, unsealing an indictment against members of a Russian military intelligence unit involved with the destructive WhisperGate malware and other hacking campaigns.

The Department of Justice accused five members of Unit 29155 of the Russian General Staff Main Intelligence Directorate — the GRU — and an affiliated civilian with conspiracy to commit computer intrusion and wire fraud conspiracy. The U.S. government offered a reward of up to $10 million for information that could help prosecutors.

The indictment focuses on “a conspiracy to hack into, exfiltrate data from, leak information obtained from and destroy computer systems associated with the Ukrainian Government in advance of the Russian invasion of Ukraine,” the DOJ said. That country’s government was attacked with the data-destroying WhisperGate malware as early as January 2022.

“The GRU’s WhisperGate campaign, including targeting Ukrainian critical infrastructure and government systems of no military value, is emblematic of Russia’s abhorrent disregard for innocent civilians as it wages its unjust invasion,” said Assistant Attorney General Matthew G. Olsen. Targets included the Ministry of Internal Affairs, State Treasury and the Judiciary Administration as well as other civilian agencies.

Unit 29155 continues to undertake “computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm,” the FBI, CISA and the NSA said in a related advisory published Thursday alongside allied agencies such as the U.K.'s National Cyber Security Centre. Microsoft refers to the group as Cadet Blizzard.

The defendants charged are Col. Yuriy Denisov, a commanding officer of Cyber Operations for Unit 29155, and four lieutenants: Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov and Nikolay Korchagin. A civilian co-conspirator listed in the indictment, Amin Sitgal, was separately accused in June of participating in the WhisperGate campaign.

Thursday’s indictments come a day after the Department of Justice separately accused Russia of directing influence campaigns at U.S. voters.

Until 2020, Unit 29155 was “responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe,” the advisory from the FBI, NSA and CISA notes, but it has added cyber-operations since then. 

GRU and friends

The agencies provided technical details intended to help network operators spot Unit 29155’s activity.

“FBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit 29155 leadership,” the advisory says. “These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”

Ukraine remains a top target, the U.S. advisory says. But Unit 29155 hackers “have conducted computer network operations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as well as countries in Europe, Latin America, and Central Asia.”

Website defacements, infrastructure scanning, data exfiltration and data leak operations are some of the unit’s other calling cards, according to the U.S. agencies. 

To help hide its activity, Unit 29155 uses “common red teaming techniques and publicly available tools” such as the scanning services Acunetix and Shodan, as well as the VirusTotal repository, the advisory says. WhisperGate attacks have included activity on the Discord chat application, too.

“Unit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the opportunity to obtain various hacker tools such as malware and malware loaders … like Raspberry Robin and SaintBot,” the agencies say.

The advisory includes an extended analysis of WhisperGate, based on samples collected from an unspecified victim. The agencies note that use of the malware isn’t exclusive to Unit 29155.

Other infamous GRU subgroups are more famous for cyber-operations, including Unit 26165, often called Fancy Bear or APT28, and Unit 74455, typically tracked as Sandworm.