GRU Unit 29155: Specialists in sabotage and assassinations
The Russian GRU has multiple military units that engage in offensive cyber operations. For example, Unit 26165, or the 85th Main Special Service Center (GTsSS), has been engaged in cyber operations since as far back as 2004 and is tracked in the security industry as APT28, Sofacy, Pawn Storm, or Fancy Bear. Meanwhile, Unit 74455, or the Main Center for Special Technologies (GTsST), is tracked as Sandworm, Electrum, or Voodoo Bear and has been active since at least 2009. This team is particularly well known for its capability to attack critical infrastructure, including destructive cyberattacks against the Ukrainian power grid in 2015, 2016, and 2022 that resulted in blackouts.
By comparison, Unit 29155’s expansion into offensive cyber operations appears to be much more recent, being first observed in 2020. According to the FBI, NSA, and CISA, this unit, officially known as the 161st Specialist Training Center, has traditionally been responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe.
While the other two more experienced cyber units use bespoke malware, Unit 29155 favors well-known red-teaming techniques coupled with open-source and commercial tools, including vulnerability scanners, network mappers, proof-of-concept exploits copied from GitHub, penetration testing frameworks, public tunneling and proxy software, and more. The custom WhisperGate data wiping malware seems to be an exception in its arsenal, but even that is not exclusively used by Unit 29155.