US, allies warn of Russian cyber sabotage aimed at disrupting aid to Ukraine

WASHINGTON — A handful of US government agencies and allied nations have issued an advisory that a group of malicious Russian cyber attackers have conducted sabotage, espionage and “reputational harm,” against 26 NATO countries, including the US, with the primary goal of disrupting efforts to provide aid to Ukraine.

The advisory, signed by the National Security Agency, FBI, Cybersecurity and Infrastructure Security Agency (CISA) and international partners including Ukrainian, Latvian, German and Czech agencies, specifically warned about the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

In addition to the group using the WhisperGate malware to target Ukrainian systems, it also conducted “destructive cyber campaigns, infrastructure scanning, and data exfiltration, with a primary focus since early 2022 of disrupting aid to Ukraine,” according to Thursday’s advisory. 

Related: Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow

Dave Luber, NSA’s cybersecurity director, warned American companies of Unit 29155’s capabilities and urged them to take appropriate precautions to protect themselves from becoming a victim of of the group. 

“It is important for organizations to use this information and take immediate action to secure data and mitigate any harm caused by these malicious cyber actors,” he said in a press release. 

The advisory was released the same day as the Department of Justice unveiled new charges against members of the Kremlin’s military intelligence service, charging them for “destructive” computer attacks with the goal of sowing fear into Ukrainian society, according to the superseding indictment. 

The hackers did not target military agencies and industries inside Ukraine, according to the indictment, instead going after agriculture and healthcare records and publishing the personal data of thousands of Ukrainian citizens. 

Prosecutors stated that five members of the Russian GRU and one civilian were responsible for hacking several Ukrainian government entities nearly a month before Russia invaded Ukraine.

Prosecutors further stated that Russian hackers also targeted software systems in the US, including a Maryland government agency, according to the indictment. 

Though neither the advisory nor the indictment listed any defense companies as victims of the Russian attacks, NATO-nation firms have talked in the past about the threats they are seeing from cyber incursions in the wake of Russia’s February 2022 invasion of Ukraine.

For example, Italian defense firm Leonardo has seen an alarming uptick in cyber attacks, the company’s co-general manager, Lorenzo Mariani, previously told Breaking Defense. Mariani said his company doesn’t see a “really big risk of physical disruption, but there are, for sure, high risks of cyber attacks.” 

He added that his company has seen hundreds of cyber intrusion attempts per day, and while the majority are “negligible,” some are more serious.

“So we take care of that. We protect our data, we protect our systems. We absolutely give the maximum importance to doing all what we have to do in order for our digital part to be up and running and secure,” he said.

To prevent such occurrences from happening to other firms of all types, Thursday’s advisory suggested companies implement the following practices to uphold their cybersecurity hygiene: “prioritize routine system updates and remediate known exploited vulnerabilities,” segment networks to mitigate the spread of malicious activity and “enable phishing-resistant multifactor authentication” on external facing accounts.