Russia’s military intelligence agency, the GRU, has long been known as one of the world’s most aggressive perpetrators of sabotage, assassinations, and cyberwarfare, with hackers proud to work under the same banner as violent special forces. But a new group within the agency suggests the GRU may be intertwining its physical and digital tactics more closely than ever before: a hacking team born out of the same unit responsible for some of Russia’s most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.
A broad group of Western government agencies, including the U.S., Britain, Ukraine, Australia, Canada and five European countries, revealed Thursday that a hacker group known as Cadet Blizzard, Bleeding Bear or Grayscale is actually part of the GRU’s Unit 29155, a division of the intelligence agency known for daring acts such as physical sabotage and politically motivated murders. The unit has previously been linked to an attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in Britain that left two bystanders dead, another assassination plot in Bulgaria, an arms depot explosion in the Czech Republic and an attempted coup in Montenegro.
Currently, this notorious division of the GRU appears to have developed its own active cyberwarfare operator teams distinct from those within other GRU units, such as Unit 26165, popularly known as Fancy Bear or APT28, and Unit 74455, a cyberattack-focused team known as Sandworm. Since 2022, more recently recruited hackers from GRU Unit 29155 have led cyber operations, including the data-destructive wiper malware known as Whispergate, which attacked at least 24 Ukrainian organizations on the eve of the Russian invasion in February 2022, and the defacement of Ukrainian government websites and the theft and leaking of information by a fake “hacktivist” persona called Free Civilians.
According to one of several Western intelligence officials WIRED spoke to on condition of anonymity, Cadet Blizzard’s identification as part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare. The officials spoke to them on condition of anonymity because they were not authorized to be named. “Special forces don’t typically develop cyber units that mirror their own physical operations,” one official said. “This is a very physical unit, and it’s tasked with the more brutal activities that the GRU is involved in. It’s very surprising that this unit, which is very hands-on, is now doing cyber stuff from behind a keyboard.”
In addition to the joint statement disclosing Cadet Blizzard’s ties to GRU Unit 29155, the US Cybersecurity and Infrastructure Security Agency released an advisory detailing the group’s hacking techniques and how to spot and mitigate them. The US Department of Justice named and indicted five members of the group, all in absentia, as well as a sixth who had been indicted over the summer without publicly mentioning Unit 29155.
“The GRU’s Whispergate operation, targeting Ukraine’s critical infrastructure and government systems with no military value, represents an abhorrent example of Russia’s disregard for innocent civilians while pursuing its unjust aggression,” Deputy Attorney General Matthew G. Olsen said in a statement. “Today’s indictment underscores the Department of Justice’s commitment to stopping this type of malicious cyber activity and holding accountable those who indiscriminately and destructively target the United States and its allies.”
