The UK’s National Cyber Security Centre (NCSC) and its counterpart bodies in the Five Eyes intelligence alliance have joined partners from Czechia, Estonia, Germany, Latvia and Ukraine to identify a Russian military cyber unit that has been conducting a sustained campaign of malicious activity over the past four years.

Part of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, or GRU, Unit 29155 has conducted multiple computer network intrusions over the years, deploying tools such as the Whispergate malware used in cyber warfare operations against Ukraine.

Whispergate, a malware not dissimilar to NotPetya, was deployed across Ukraine in advance of Russia’s illegal February 2022 invasion. It appears at first glance to operate like a ransomware locker, but its activity conceals its true purpose, which is to target systems master boot records for deletion.

That Whispergate was linked to Moscow’s intelligence services was already well-known but this is the first time that its use has been attributed to a specific advanced persistent threat (APT) operation.

“The exposure of Unit 29155 as a capable cyber actor illustrates the importance that Russian military intelligence places on using cyberspace to pursue its illegal war in Ukraine and other state priorities,” said NCSC operations director Paul Chichester.

“The UK, alongside our partners, is committed to calling out Russian malicious cyber activity and will continue to do so. The NCSC strongly encourages organisations to follow the mitigation advice and guidance included in the advisory to help defend their networks.”

Unit 29155, also designated as the 161st Specialist Training Centre, and designated by private sector threat researchers variously as Cadet Blizzard, Ember Bear (Bleeding Bear), Frozenvista, UNC2589 and AUC-0056, is likely composed of junior active-duty GRU personnel but is also known to fall back on third-party contractors, including known cyber criminals and their enablers, in the service of its operations. It differs to some extent from the more established GRU-backed APTs such as Unit 26165 (aka Fancy Bear) and Unit 74455 (aka Sandworm).

The NCSC said Unit 29155’s cyber operations selected and targeted victims primarily to collect information for espionage purposes, to deface their public-facing websites, cause reputational damage by stealing and leaking sensitive information, and sabotage their day-to-day operations.

According to the FBI, Unit 29155 has conducted thousands of domain scanning exercises across multiple Nato and European Union (EU) member states, with a particular focus on CNI, government, financial services, transport, energy and healthcare. The Americans say it may also have been responsible for physical acts of espionage including attempted coups and even assassination attempts.