Open in app

Sign in

Write

Sign in

Introducing the GRU’s Youngest Sibling: Ember Bear

A Closer Look at Unit 29155’s Latest Hacking Group

Jeremy Fernandez
5 min readSep 16, 2024

Introduction:

Unit 29155 is part of the notorious Russian military intelligence unit GRU. They are most famous for their attempted assassination of former Russian intelligence officer turned double agent Sergei Skripal. Although a unit that focuses heavily on covert activities and foreign assassinations, they have recently expanded their operations to include a new hacking group known as Ember Bear(CrowdStrike) or Cadet Blizzard(Microsoft).

In this short article, we will explore the role Unit 29155 plays in the GRU, its notable activities and differences compared to the other cyber units within the GRU.

Who is Unit 29155?:

Unit 29155 is assessed to be part of the GRU’s 161st Special Purpose Specialist Training Centre. Although thought to have been established in 2008, their existence only became public in 2019. They are thought to focus heavily on activities such as assassination and attempts at destabilising European countries. Some notable events include :

  • 2015 Poisoning of Bulgarian arms factory owner: There was an attempt to poison Bulgarian arms dealer Emiliyan Gebrev using a type of poison similar to Novichok
  • 2018 Poisoning of former GRU officer: Using similar techniques as above, there was another attempt to poison former Russian spy and British double agent Sergei Skripal
  • 2018 Possible Russian bounty program against US military personnel: According to the CIA, there was an alleged bounty program where the GRU paid bounties to Taliban-linked militants to kill Americans and their allies during the war in Afghanistan.

Ember Bear and their Cyber Operations:

According to a joint advisory published on 5 Sept 2024 by intelligence agencies, Ember Bear has been involved in conducting cyber espionage and sabotage against U.S. and global critical infrastructure since 2020. The FBI assesses that Ember Bear consists of junior GRU officers under the direction of experienced Unit 29155 leadership.

“These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”

Ember Bear has conducted cyber espionage against multiple NATO countries over the past few years and their campaigns include website defacements, data exfiltration and data leak operations. They are known to target critical infrastructure and other key resource sectors such as government agencies.

However, since 2022, their focus has mainly shifted to targeting Ukraine government agencies where they defaced dozens of Ukrainian government websites and deployed the WhisperGate wiper a month before Russia’s invasion.

Translated defacement message, credit goes to Don_Standeford

WhisperGate has similarities to the NotPetya malware deployed by Sandworm(Also part of the GRU). The way WhisperGate works is that it corrupts the Master Boot Record (MBR) and displays the ransom note that demands $10k in Bitcoin. It poses as ransomware but lacks the decryption or data-recovery function, so there is no way for users to recover their data as WhisperGate is essentially a wiper.

Fake ransom message for the WhisperGate malware

Judging from the activities of Ember Bear so far, we do see certain similarities with Fancy Bear in its targeting of NATO countries. However, it seems that for now, all their efforts have been focused on supporting Russian efforts in the war against Ukraine.

Differences between Fancy Bear, Sandworm and Ember Bear:

The integration of a cyberunit in Unit 29155 brings up a very important question. What exactly is their role compared to the other GRU hacking groups? I want to explore and draw similarities and differences between these units since at a high level, there seems to be an overlap in what Ember Bear does.

Fancy Bear

The most well-known hacking attempts of Fancy Bear include the 2015 German Bundestag, the 2016 Democratic National Committee and the 2016 World Anti-Doping Agency. These three incidents are similar in a way that hacking these targets does not cause any “physical damage” and it’s mostly for intelligence collection and advancing Russia’s geopolitical agenda.

Sandworm

Sandworm is Russia’s primary cyber sabotage unit. They focus on purely causing physical disruption to their adversaries. Notable incidents include the 2014 and 2015 attack on Ukraine’s power grid, NotPetya in 2017, and the disruption of the 2018 Pyeongchang Winter Olympics.

Ember Bear

Ember Bear, on the other hand, has been reported to target critical infrastructure including government, financial, transportation services, energy and healthcare sectors. Infrastructure that could cause actual physical harm and disruption. The only physical disruption being the WhisperGate attack against Ukraine.

Hypothesis

In my opinion, based on Ember Bear’s location at the 161st Special Purpose Specialist Training Centre and the assessment made by the FBI, it does seem that this might be a training school where junior cyber operators get hands-on training and real-world experience before “graduating” to the more advanced cyber units like Fancy Bear or Sandworm.

My uneducated guess is that the focus of Ember Bear might be a mix between both Fancy Bear and Sandworm as we see espionage mixed in with sabotage. I have three possible theories :

  1. Ember Bear as a Training Unit: As mentioned earlier, Ember Bear is a training unit. Hence their focus on both cyber espionage and cyber sabotage. This allows their operators to gain experience on both sides and perhaps stream them into their more advanced counterparts.
  2. Ember Bear’s purpose is to support the GRU in the fight against Ukraine: Ember Bear might be more aligned with Sandworm as their current area of operations is in Ukraine and they might be establishing themselves as the cyber espionage arm of the GRU in their fight against Ukraine, while Sandworm focuses on cyber sabotage.
  3. Ember Bear as the global Sandworm: With the initial focus of Ember Bear targeting global critical infrastructure before being pulled back to support the Russian war efforts, Ember Bear might actually be setting themselves up to conduct Sandworm styled attacks but on a global scale.

Conclusion :

It takes a lot of planning, resources and explicit direction to set up a new military unit. For the GRU to integrate cyber capabilities into Unit 29155 shows that the Russian leadership has deemed their previous cyber operations to be highly successful to warrant the creation of a new unit. Or perhaps Unit 29155 is meant to serve a different purpose compared to its big brothers Fancy Bear and Sandworm. Nonetheless, this event shows that Russia is heavily invested in using cyber operations to achieve its goals.

Additional Resources:

  1. Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team
  2. Agencies warn of Russian GRU Unit 29155 hackers targeting US, global critical infrastructure
  3. Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
  4. GRU Unit 29155
  5. Technical Analysis of the WhisperGate Malicious Bootloader
  6. Cadet Blizzard emerges as a novel and distinct Russian threat actor

--

--

Jeremy Fernandez
Jeremy Fernandez

Written by Jeremy Fernandez

36 Followers
29 Following

Security Researcher. I also post my articles on my personal blog https://sojubear.github.io/

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams