The Cybersecurity and Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI), the National Security Agency, and other international partners, issued an Alert on September 5, 2024, warning that cyber actors affiliated with the Russian military are targeting critical infrastructure, government services, financial services, transportation systems, energy, and healthcare sectors of NATO members.

The Alert warns that Unit 29155 cyber actors affiliated with the Russian military are collecting information for “espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.” The cyber actors of Unit 29155 have been assessed as officers of the GRU and are being assisted by “known cyber-criminals.” Some of the threat group names associated with these actors include Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.

Unit 29155 is believed to be responsible for WhisperGate against Ukraine and is involved in attacking numerous members of NATO. “The activity includes cyber campaigns such as website defacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release exfiltrated victim data obtained from their compromises.”

The FBI has detected more than 14,000 instances of domain scanning and “have defaced victim websites and used public website domains to post exfiltrated victim information.”

The Alert details the tactics, techniques, and procedures the threat actors use. To mitigate this, the Alert urges organizations to:

• Prioritize routine system updates and remediate known exploited vulnerabilities.
• Segment networks to prevent the spread of malicious activity.

Enable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.