Putin’s ruthless killer squad: Why the group “29155” is so dangerous

It has been three days since the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) released a report on Russian actors and the threat they pose to global infrastructure.

The letter summarizes the findings of several Western intelligence services. One name appears particularly frequently in the report, in which the Federal Office for the Protection of the Constitution was also involved: “Special Unit 29155.”

It belongs to the Russian military intelligence service (GRU) and specializes in assassinations abroad and the destabilization of states – for example through cyber attacks.

This is also mentioned in the current report of the security authorities. “We assume that cyber actors […] “Unit 29155 has been responsible for computer network operations against global targets for espionage, sabotage, and reputational purposes since at least 2020,” it says.

Special Unit 29155 is said to have provided “WhisperGate” malware

On January 13, 2022 – about six weeks before the start of the Ukraine war – members of the special unit 29155 are said to have “begun deploying the destructive ‘WhisperGate’ malware.”

The “WhisperGate” campaign in January 2022 was intended to paralyze the IT systems of government and non-profit organizations in Ukraine. More is now known about the malware that was used – thanks to security experts at Microsoft.

A blog post states that “WhisperGate” looks like ransomware, i.e. an encryption Trojan, but has “no mechanism for demanding a ransom.” This means that the malware is apparently designed to irreversibly destroy the data on the target systems.

At about the same time as the “WhisperGate” attack, several websites, including that of the Ukrainian Foreign Ministry, were defaced. As several media outlets unanimously reported, the message “Ukrainians, be afraid and expect the worst” could be read on the affected pages.

Special unit 29155 also active in other countries

However, the special unit 29155 is said to have played a central role in more than just the “WhisperGate” campaign. As the Federal Office for the Protection of the Constitution writes on its website, the special unit also attacks networks in Europe and North America as well as countries in Latin America and Central Asia.

“The activities include destructive actions as well as scanning and data theft. “The known targets include critical infrastructure as well as government agencies and companies in the financial, transport, energy and health sectors,” the federal agency’s post continues.

The primary goal of the group, also known as “Putin’s Hit Squad,” appears to have been to scout and disrupt aid deliveries to Ukraine since early 2022. According to the report, more than 14,000 cases of domain scanning have been registered in 28 NATO and EU countries, including Germany.

Agents of Group 29155: The “Men for the Big Things”

It has been clear for years that the special unit 29155 is anything but a harmless group. The New York Times and Der Spiegel, among others, have published extensive research into the unit, which was probably founded in 2009.

Agents of the group are said to be behind the poison attack on the former Russian agent Sergei Skripal in Great Britain. In a “Spiegel” article, the members of 29155 are described as “men for the rough stuff” and “shadow warriors”, specially trained for complicated operations abroad.

The news magazine’s 2019 research also provides information about where those who provide their services to the special unit come from.

According to “Spiegel”, the majority of them are people in their late thirties to mid-forties who have fought in the wars in Chechnya or Ukraine, for example. One characteristic that most of them apparently have: unscrupulousness.

Report contains protective measures against cyber attacks

The recently published “Joint Cybersecurity Advisory” by the FBI, CISA and NSA deals with virtual threats. It shows various tactics that the special unit 29155 uses in digital sabotage actions. It also lists measures that organizations can take to protect themselves from cyber attacks.

This includes, for example, regular system updates and fixing known security vulnerabilities. According to the report, it also makes sense to segment networks. This means separating parts of a company network from one another in order to offer as little attack surface as possible.

In addition, the security authorities recommend setting up so-called “phishing-resistant multi-factor authentication (MFA)” for all outward-facing services – for example, webmail, virtual private networks (VPN) or accounts that access critical systems.

Then, during the login process, not only a username and password are required, but at least one other factor, which – unlike conventional MFA – cannot be easily intercepted by social engineering methods. Social engineering is intended to manipulate a person into revealing personal information or access data.

CDU man Kiesewetter sees Germany in focus

In an interview with the “Handelsblatt”, CDU security politician Roderich Kiesewetter saw the joint findings of the security authorities as evidence of Russia’s hybrid warfare.

In his eyes, Germany is particularly in focus “because we make things particularly easy for Russia.” In his opinion, this is due to the naivety of large parts of the population when it comes to the actions of autocracies and terrorist states. On the other hand, he believes that local security authorities are “poorly equipped against hybrid attacks.”

Despite everything, the special unit 29155 cannot operate completely undisturbed. In the USA, five members have now been charged with alleged cyber attacks on civilian infrastructure in Ukraine.