The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their partners have issued a [joint cybersecurity advisory](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a) about Russian military hackers who have been targeting critical infrastructure entities in the United States and other NATO countries. The authorizing agencies believe the hackers are affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) but are distinct from other more established GRU hacking groups. The hacking group is tracked by several cybersecurity companies under the names Cadet Blizzard, Ember Bear, Frozenvista, UNC2589, and UAC-0056.The hackers conduct computer network operations against targets around the world for espionage, sabotage, and to cause reputational harm and have been active since at least 2020. Since January 2022, the hackers have been targeting organizations in Ukraine and deploying the destructive multi-stage wiper malware WhisperGate. In addition, offensive cyber campaigns have been conducted against NATO members in Europe and North America, and other countries around the world. The campaigns have involved website defacements, infrastructure scanning, and data exfiltration. The stolen data may be sold or leaked online with the intent of causing reputational harm. Critical infrastructure and key resource sectors known to have been attacked by the group include government services, financial services, transportation systems, energy, and healthcare.The group is believed to consist of junior active-duty GRU officers who are under the direction of more experienced Unit 29155 members and are gaining experience conducting cyber operations and enhancing their technical skills. The FBI believes that the cyber actors in Unit 29155 rely on non-GRU actors, including known cybercriminals and enablers to conduct their operations.The threat actors have been observed exploiting vulnerabilities such as the Dahua Security vulnerabilities CVE-2021-33044 and CVE-2021-33045, the Atlassian Confluence Server and Data Center vulnerabilities CVE-2022-26134 and CVE-2022-26138, and the Sophos Firewall vulnerability CVE-2022-3236. The hackers have also been observed obtaining exploit scripts for the vulnerabilities: CVE-2020-1472 (Microsoft: Windows Server), CVE-2021-26084 (Atlassian Confluence Server and Data Center), CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing), CVE-2021-4034 (Red Hat: Polkit Privilege Escalation), and CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw).Critical infrastructure entities have been urged to take immediate action to improve their defenses against attacks, including ensuring that patches are promptly applied to fix known vulnerabilities, software solutions are updated to the latest versions, and the other recommended mitigations detailed in the alert are implemented. The U.S. State Department has announced that a reward of $10 million is available under its Rewards for Justice program for information on five hackers suspected of working for GRU Unit 29155: Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin. Suspected GRU Unit 29155 hackers. Source: U.S. Department of State, Rewards for JusticeThe post [Feds Issue Warning About Russian Hacking Group Targeting Critical Infrastructure](https://www.hipaajournal.com/alert-russian-gru-hacking-group-critical-infrastructure/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
CVE-2021-33044
CVE-2021-33045
NAICS: 48 – Transportation
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 211 – Oil And Gas Extraction
NAICS: 481 – Air Transportation
NAICS: 21 – Mining
Quarrying
Oil And Gas Extraction
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 62 – Health Care And Social Assistance
Associated Indicators: