Top Russian cyber units and hacking groups to watch out


With the cooptation or recruitment of criminal and civilian hackers, Russia has increased its personnel, capabilities, and capacity to conduct a wide range of global cyber operations, primarily Distributed Denial of Service (DDoS) attacks, over the last 20 years.

Russia has been deploying sophisticated cyber capabilities to conduct propaganda, disinformation, espionage, and destructive cyberattacks. To carry out these operations, it maintains several units overseen by various security and intelligence agencies, primarily Russia’s military intelligence agency, the Main Directorate of the General Staff, or GRU.

Some of Russia’s most notorious cyber operations have been linked to the GRU. The GRU is also said to control several research institutes that aid in developing hacking tools and malware. These units have been dubbed APT (Advanced Persistent Threat) 28, Fancy Bear, Voodoo Bear, Sandworm, and Tsar Team by cyber analysts.

This article will look at some of the most important Russian cyber units and threat actors in 2022.

1. Unit 26165 (Fancy Bear, STRONTIUM, APT28, Group 74, Pawn Storm, SNAKEMACKEREL, Sednit, Sofacy, Swallowtail, TG-4127, Threat Group-4127, or Tsar Team)

Unit 26165, also known as Fancy Bear, STRONTIUM, APT28, Group 74, Pawn Storm, SNAKEMACKEREL, Sednit, Sofacy, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team, is a Russian state-sponsored hacking group associated with GRU. It was created during the Cold War as the 85th Main Special Service Center, responsible for military intelligence cryptography.

This hacking group has been active since 2007 and usually targets privileged information related to government, military, and security organizations, but it became dominant in 2017. The US government has identified the group responsible for hacking the Democratic Congressional Campaign Committee, the Democratic National Committee, and Hillary Clinton’s presidential campaign.

Unit 26165 has also been linked to cyber operations against government, private-sector, and political targets in the US and Europe. The Netherlands has accused Unit 26165 of being involved in the attempted OPCW hack in 2018 and has focused its investigation on the downing of Malaysia Airlines Flight 17 in 2014. (MH17). According to the Dutch investigation, pro-Russian Ukrainian separatists were armed with Russian surface-to-air missiles. According to the UK foreign secretary, the group was behind the cyberattacks on Germany’s Parliament in 2015.

2. Unit 74455 (Sandworm Team, Black Energy, BlackEnergy, ELECTRUM, Iron Viking, Quedagh, TeleBots, TEMP.Noble, or VOODOO BEAR)

Unit 74455, also known as Sandworm Team, Black Energy, BlackEnergy, ELECTRUM, Iron Viking, Quedagh, TeleBots, TEMP.Noble, or VOODOO BEAR, has been linked to some of Russia’s most brazen and damaging cyberattacks. This group has a strong interest in US and European critical systems.

Starting on the eve of the 2016 Democratic National Convention, it used various fictitious online identities (DCLeaks and Guccifer 2.0) to coordinate the release of politically sensitive stolen documents with WikiLeaks for “maximum political impact.”

Since 2009, this group of Russian hackers has been behind a major cyber campaign targeting foreign leaders and institutions, particularly those in Ukraine. They may have also been involved in cyberattacks against Georgia during the 2008 Russian-Georgian conflict.

During the 2016 US presidential election, the US government identified Unit 74455 as the group responsible for the coordinated release of stolen documents and emails. Unit 74455 appears to have significant offensive cyber capabilities rather than focusing solely on penetrating systems and gathering data.

The Department of Justice indicted members of GRU Unit 74455 in October 2020 for several cyberattacks, including the 2017 NotPetya malware attack. The malware was used against several targets in Ukraine in June 2017. The malware quickly spread worldwide, wreaking havoc on countries and businesses far beyond Ukraine.

The US Department of Justice indicted six GRU officers from Unit 74455 in October 2020 for a variety of cyberattacks, including the December 2015 Ukraine power grid cyberattack, the 2017 Macron email leaks, the 2017 NotPetya attacks, the 2018 Winter Olympics hack (for which the GRU attempted to frame North Korea), several 2018 attacks on Skripal case investigators, and a 2018-2019 cyberattack campaign against Georgian media and the Georgian Parliament.

3. APT29 (Dukes or Cozy Bear)

APT29, also known as Dukes or Cozy Bear, is a well-funded, well-organized, and well-resourced cyberespionage group within Russian intelligence services. The group has been active since at least 2008, with the primary goal of gathering intelligence to aid in the formulation of foreign and security policy decisions. APT29 primarily targets Western governments and related organizations, including ministries and agencies, political think tanks, subcontractors, diplomatic, healthcare, and energy targets.

APT29 uses a variety of tools to conduct targeted campaigns. The goals and timing of these campaigns appear to correspond to the Russian Federation’s known foreign and security policy interests at the time.

The group frequently employs publicly available exploits to conduct widespread scanning and exploitation of vulnerable systems, most likely to obtain authentication credentials that will allow them to gain further access. This broad targeting could give the group access to a wide range of systems worldwide, especially when they become more important targets in the future.

APT29 has conducted biannual large-scale spear-phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and organizations and targeted attacks. A quick but noisy break-in is followed by a rapid collection and exfiltration of as much data as possible in these campaigns. If the compromised target is found to be valuable, APT29 switches toolsets and employs stealthier tactics aimed at long-term intelligence gathering and persistent compromise.

4. Unit 54777 (the 72nd Special Service Center)

Unit 54777 (also referred to as the 72nd Special Service Center) is responsible for GRU’s psychological operations. This includes online disinformation and information operations. Unit 54777 retains several front organizations, including InfoRos and the Institute of the Russian Diaspora. The unit originated from Soviet GLAVPUR (Glavnoye Politicheskoye Upravlenie, or the Main Political Department). It was created in the early 1990s and notably employed colonel Aleksandr Viktorovich Golyev, whose memoirs were published in 2020 and other GRU documents.

The unit’s focus in the 1990s was on pro-Soviet disinformation in newly divided republics like Lithuania and Chechnya. In later years, the unit was involved in a wide range of activities, including running NGOs that targeted Russian expatriates in Western countries (InfoRos, Institute of the Russian Diaspora, World Coordinating Council of Russian Compatriots Living Abroad, Foundation for Supporting and Protecting the Rights of Compatriots Living Abroad), as well as manipulating public opinion in Russia and abroad in preparation for armed conflicts like those in Georgia, Donbas, and Syria.

5. Unit 29155

Foreign assassinations and other covert activities to destabilize European countries are the responsibility of Unit 29155. The unit is thought to have been operating in secret since 2008, but its existence was only revealed in 2019. It is headquartered in eastern Moscow at the 161st Special Purpose Specialist Training Center.

Its members included decorated veterans of the Soviet war in Afghanistan and Russia’s recent conflicts in Chechnya and Ukraine. It was linked to the Russian annexation of Crimea in 2014, the Bulgarian arms dealer Emilian Grebev’s poisonings in 2015, the 2016 Montenegrin coup attempt, and the poisoning of Russian defector Sergei Skripal. The unit is also suspected of being involved in an alleged Russian bounty program in which Taliban militants were paid to kill American troops. However, the program’s existence is unknown, unproven, and unverified.