Post

Introducing the GRU's Youngest Sibling - Ember Bear

Posted Updated
By
3 min read
Introducing the GRU's Youngest Sibling - Ember Bear

Introduction

Unit 29155, a notorious component of the Russian military intelligence unit GRU, has recently expanded its operations to include a new hacking group known as Ember Bear (CrowdStrike) or Cadet Blizzard (Microsoft). While primarily known for covert activities and foreign assassinations, this expansion into cyber operations marks a significant evolution in their capabilities. This article explores Unit 29155’s role within the GRU, its notable activities, and how its new cyber unit differs from other GRU cyber groups.

Who is Unit 29155?

Unit 29155 is assessed to be part of the GRU’s 161st Special Purpose Specialist Training Centre. Although established in 2008, their existence only became public in 2019. Their operations primarily focus on:

  • Assassination attempts
  • Destabilization of European countries
  • Covert operations

Notable Activities

  1. 2015 Bulgarian Arms Factory Incident
    • Attempted poisoning of Bulgarian arms dealer Emiliyan Gebrev
    • Used Novichok-type poison
  2. 2018 Skripal Poisoning
    • Targeted former GRU officer and British double agent Sergei Skripal
    • Employed similar poisoning techniques
  3. 2018 Russian Bounty Program
    • Alleged CIA reports of GRU payments to Taliban-linked militants
    • Targeted US military personnel in Afghanistan

Ember Bear and Their Cyber Operations

According to a joint advisory published on September 5, 2024, by intelligence agencies, Ember Bear has been conducting cyber espionage and sabotage against U.S. and global critical infrastructure since 2020. The FBI’s assessment reveals that Ember Bear consists of junior GRU officers under experienced Unit 29155 leadership.

“These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors, including known cyber-criminals and enablers to conduct their operations.”

Key Operations

  • Cyber espionage against NATO countries
  • Website defacements
  • Data exfiltration
  • Data leak operations
  • Critical infrastructure targeting

Since 2022, their focus has shifted primarily to Ukrainian government agencies, including:

  • Defacement of Ukrainian government websites
  • Deployment of WhisperGate wiper malware
  • Operations preceding Russia’s invasion

WhisperGate Malware Analysis

WhisperGate shares similarities with the NotPetya malware deployed by Sandworm (another GRU unit). The malware:

  • Corrupts the Master Boot Record (MBR)
  • Displays a fake ransom note demanding $10k in Bitcoin
  • Functions as a wiper rather than actual ransomware
  • Lacks decryption capabilities, making data recovery impossible

Comparing GRU Cyber Units

Fancy Bear

  • Focus: Intelligence collection and geopolitical agenda advancement
  • Notable operations:
    • 2015 German Bundestag hack
    • 2016 Democratic National Committee breach
    • 2016 World Anti-Doping Agency attack

Sandworm

  • Focus: Cyber sabotage and physical disruption
  • Notable operations:
    • 2014-2015 Ukraine power grid attacks
    • 2017 NotPetya deployment
    • 2018 Pyeongchang Winter Olympics disruption

Ember Bear

  • Focus: Critical infrastructure targeting
  • Sectors targeted:
    • Government
    • Financial
    • Transportation
    • Energy
    • Healthcare

Analysis and Hypotheses

Based on Ember Bear’s location at the 161st Special Purpose Specialist Training Centre and FBI assessments, three possible theories emerge:

  1. Training Unit Theory
    • Serves as a training ground for junior cyber operators
    • Provides hands-on experience in both espionage and sabotage
    • Prepares operators for advanced units like Fancy Bear or Sandworm
  2. Ukraine Support Theory
    • Aligned with Sandworm’s objectives
    • Focuses on cyber espionage in Ukraine
    • Complements Sandworm’s sabotage operations
  3. Global Operations Theory
    • Potential for global-scale Sandworm-style attacks
    • Initial focus on global critical infrastructure
    • Currently redirected to support Russian war efforts

Conclusion

The integration of cyber capabilities into Unit 29155 represents a significant strategic development within the GRU. This expansion suggests either:

  • Recognition of successful previous cyber operations
  • A new strategic direction for Unit 29155
  • Evolution of Russian cyber warfare capabilities

The creation of Ember Bear demonstrates Russia’s continued investment in cyber operations as a key component of its military strategy.

References

  1. Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team
  2. Agencies warn of Russian GRU Unit 29155 hackers targeting US, global critical infrastructure
  3. Five Russian GRU Officers and One Civilian Charged for Conspiring to Hack Ukrainian Government
  4. GRU Unit 29155
  5. Technical Analysis of the WhisperGate Malicious Bootloader
  6. Cadet Blizzard emerges as a novel and distinct Russian threat actor
Threat Intelligence
russia gru cyberwarfare threat-actors unit-29155 ember-bear cadet-blizzard
This post is licensed under CC BY 4.0 by the author.