FBI offers $10m reward for location of Russian hackers

The Federal Bureau of Investigation (FBI) has offered a $10 million reward for the location of six Russian nationals recently charged by the U.S. Department of Justice (DoJ) for their involvement in criminal cyber activities toward networks in Ukraine and pro-Ukrainian countries.

The five Russian Main Intelligence Directorate (GRU) officers and one civilian are alleged to be members of the GRU’s Unit 29155, the unit believed to be responsible for the 2022 deployment of destructive WhisperGate wiper malware in Ukraine and other attacks on computer systems around the world.

Other intelligence sources indicate that the unit may have also been responsible for attempted coups, sabotage, influence operations, and assassination attempts throughout Europe before it began engaging in cyber operations in 2020.

Image 1: Wanted poster for five GRU officers and Russian national wanted for criminal cyber activities.

According to the DOJ, Unit 29155 is comprised of junior GRU officers who rely on the expertise of known cybercriminals and other civilians to help facilitate their malicious activities, which include everything from website defacements and infrastructure scanning to data exfiltration and data leak operations.

The unit usually begins its campaigns by scanning target networks to find vulnerabilities in products like Atlassian Confluence Server and Data Center, Dahua Security, and Sophos' firewalls. The vulnerabilities are then exploited to gain access to victim environments, followed by the use of Impacket for post-exploitation and lateral movement, ultimately ending in the exfiltration of sensitive data.

Source: The Hacker News

Analysis

The reward offered by the FBI is largely symbolic as it’s unlikely that Russian authorities would ever hand the six individuals over nor would they willingly travel outside Russia since GRU officers are subject to travel bans.

Instead, the reward is intended to warn young Russian hackers considering a career with the GRU or Federal Security Service (FSB) that, if caught by Western intelligence or law enforcement, they will be confined to Russia and its few remaining allies.

The indictment of these Russian nationals will temporarily disrupt Unit 29155’s activities by exposing its tactics, techniques, and procedures (TTPs) and forcing the unit to re-tool and examine the operational security failures that led to the identification of its officers.

However, U.S. indictments of Russian intelligence officers for their roles in malicious cyber campaigns are nothing new and historically have not had a lasting impact on the GRU’s long-term operations

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats from advanced cyber actors emanating from countries like Russia. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose. Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Field Effect recommends that governments and organizations in Ukraine, and those in support of Ukraine, adopt a heightened security posture towards cybersecurity given the threat posed by Russian state-sponsored cyber actors such as Unit 29155.

We encourage all organizations to review the U.S. Cybersecurity & Infrastructure Security Agency (CISA) ShieldsUp program, which provides robust guidance for preparing, responding to, and mitigating the impacts of Russian state-sponsored cyberattacks.

Related Articles

• U.S government warns pro-Russian hacktivists targeting critical infrastructure
• Russian APT28 hackers breach Ukrainian government email servers
• Russian hackers use PowerShell USB malware to drop backdoors