A secretive Russian military intelligence unit, previously tied to foreign assassinations and destabilizing actions in Europe, has now been linked to cyberespionage and sabotage operations for the first time, according to a joint advisory from the US government and its allies.

The military unit — identified as Russian GRU’s 161st Specialist Training Center (Unit 29155) — is being blamed for a series of aggressive cyber operations around the world, including the destructive WhisperGate malware that wiped the Master Boot Record (MBR) of computers in Ukraine.

In the past, the investigative website Bellingcat found evidence linking Unit 29155 to the attempted assassinations of Bulgarian arms dealer Emilian Gebrev in April 2015 and the former GRU Colonel Sergei Skripal in March 2018.

According to the joint advisory, issued by law enforcement and cybersecurity agencies in multiple countries, Unit 29155 is responsible for cyber operations around the world, including the deployment of destructive malware, sabotage and cyberespionage.

The British government’s NCSC agency said Unit 29155 is made up of junior active-duty GRU officers but also used non-GRU actors, including known cybercriminals and enablers to conduct their operations. The group differs from more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm). 

“Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations from at least 2020,” according to a CISA advisory. “Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”

In tandem, the US Justice Department announced charges against Russian national Amin Timovich Stigal for a conspiracy to hack into and destroy computer systems and data.

“In advance of the full-scale Russian invasion of Ukraine, targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries that were providing support to Ukraine, including the United States,” according to an indictment.

Stigal, who is linked to Russia’s GRU, remains at large. The government also issued wanted bulletins for five other Russians identified as GRU 29155 cyber actors.

The US government contends that Unit 29155 has conducted hacking operations  against NATO targets in Europe and North America, as well as countries in Europe, Latin America, and Central Asia. The activity includes website defacements, infrastructure scanning, data exfiltration, and data leak operations

“To date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several additional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim information,” CISA added.

The CISA advisory includes IOCs (indicators of compromise) to help hunt for signs of infections and the agency is urging organizations to prioritize system updates, network segmentation, and the deployment of phishing-resistant multi-factor authentication tools.

Related: Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper

Related: CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks

Related: US Charges Russian National Behind Wiper Attacks on Ukraine

Related: Microsoft Outs New Russian APT Linked to Wiper Attacks in Ukraine