UK intel: Russia’s GRU unit known for sabotage, assassination attempts in EU responsible for cyberattacks aiding Ukraine invasion

In its September 11 intelligence update, the British Defense Ministry says the UK National Cyber Security Centre reported that since at least 2020, the Russian GRU intelligence unit 29155 has conducted offensive cyber operations globally, including supporting Russia’s invasion of Ukraine, attempted coups, sabotage, and assassination attempts across Europe.

Offensive cyber operations signal the growing capabilities of Unit 29155, highlighting Russia’s strategic emphasis on cyberspace during the full-scale invasion, the Defense Ministry says.

The Ministry wrote:

• On 05 September 2024, the UK National Cyber Security Centre publicly assessed that the Russian Military Intelligence (GRU) Unit 29155 has been responsible for a series of offensive cyber operations targeting victims globally since at least 2020. At least some of the group’s cyber operations have almost certainly been aimed at supporting the Russian invasion of Ukraine.
• Operations have included the ‘WhisperGate’ destructive wiper malware, which was used against Ukrainian targets in 2022. Other activities have included website defacements and network scanning for espionage purposes. WhisperGate was previously attributed to the Russian state; this new advisory specifically links the attack to GRU Unit 29155.
• Unit 29155 is assessed to be responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Offensive cyber operations therefore mark a development in the capabilities of Unit 29155. This further highlights the value the Russian state places on cyberspace in the context of their invasion of Ukraine.

According to Western intelligence and investigative reports, the unit has been active since at least 2008, with notable operations including the attempted assassinations of Bulgarian arms dealer Emilian Gebrev, former GRU Colonel Sergei Skripal, and involvement in the 2014 Vrbětice ammunition depot explosions in the Czech Republic. The New York Times and Bellingcat have both reported on its role in these activities, with Russia denying all accusations.

Related:

• Ukrainian, French cyber experts disable Russian hacker infrastructure during “EndGame” international operation
• Moscow-backed church’s priest accused of spying for Russian military intel in Kharkiv Oblast
• Germany says Russia behind massive cyberattack last year after Berlin decided to send Ukraine tanks
• LRT: Pro-Russian cyber group targets Lithuanian military system
• Russian GRU’s sabotage recruitment in Baltics exposed by journalists
• Ex-Russian GRU officer Salikov exposes Russia’s proxy Ukraine “republics” (full translation)
• Bellingcat IDs GRU agent for occupied Donetsk and possible MH17 witness (2020)