Russia’s military intelligence agency, the GRU, has long had a reputation as one of the most aggressive practitioners of sabotage, assassination and cyber warfare, with hackers proudly working under the same banner as violent special forces operators. But a new group within that agency shows how the GRU may be intertwining physical and digital tactics more closely than ever: a team of hackers, which has emerged from the same unit responsible for Russia’s most notorious physical tactics, including poisonings, coup attempts and bombings in Western countries.
A broad group of Western government agencies from countries including the United States, the United Kingdom, Ukraine, Australia, Canada and five European countries revealed on Thursday that a hacking group known as Cadet Blizzard, Bleeding Bear or Greyscale — which has launched multiple hacking operations targeting Ukraine, the United States and other countries in Europe, Asia and Latin America — is in fact part of the GRU’s Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated assassinations. That unit has been linked in the past, for example, to the attempted poisoning of GRU defector Sergei Skripal with the nerve agent Novichok in the United Kingdom, which led to the deaths of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic and a failed coup attempt in Montenegro.
Now, that infamous section of the GRU appears to have developed its own active team of cyberwarfare operators, distinct from those in other GRU units such as Unit 26165, widely known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, hackers most recently recruited by GRU Unit 29155 have taken the lead in cyber operations, including the data-wiping malware known as Whispergate, which affected at least two dozen Ukrainian organizations on the eve of Russia’s February 2022 invasion, as well as the defacing of Ukrainian government websites and the theft and leaking of information from them under a fake “hacktivist” identity known as Free Civilian.
Cadet Blizzard’s identification as part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they were not authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a very physical operational unit, tasked with the most horrendous acts that the GRU is involved in. I find it very surprising that this unit that does very practical things is now doing cyber things behind a keyboard.”
In addition to the joint public statement revealing Cadet Blizzard’s link to GRU unit 29155, the U.S. Cybersecurity and Infrastructure Security Agency published an advisory detailing the group’s hacking methods and ways to detect and mitigate them. The U.S. Department of Justice He accused five members of the group by nameall in absentia, plus a sixth who had been previously charged earlier in the summer without any public mention of Unit 29155.
“The GRU’s WhisperGate campaign, which includes attacks against critical infrastructure and non-military Ukrainian government systems, is emblematic of Russia’s abhorrent disregard for innocent civilians as it carries out its unjust invasion,” U.S. Department of Justice Deputy Attorney General Matthew G. Olsen wrote in a statement. “Today’s indictment underscores that the Department of Justice will use every tool available to disrupt this type of malicious cyber activity and hold perpetrators accountable for indiscriminate and destructive attacks against the United States and our allies.”
