The Security Brief

Tag: Security

  • Disrupting Cartels: A Multi-Approach Strategy

    Disrupting Cartels: A Multi-Approach Strategy

    Military raids and high-profile arrests make headlines, but they do not end the business of cartels. Mexican and South American trafficking organizations operate like multinational corporations: diversified revenue streams, global supply chains, and deep local recruitment pipelines. Long-term disruption will require a different approach. The US must pursue strategies that make the cartel business model financially unsustainable and logistically difficult. This means combining proven tactics with fresh ideas.

    The points below are presented as broad concepts to help spark discussion, rather than full write-ups. Bullet points allow the ideas to be absorbed quickly, keep the focus on the main themes, and give room for others to share their perspectives or expand on them with their own insights.

    Hit the Money

    Cartels are profit-driven, so hitting their finances directly is one of the most effective tactics.

    • Sanctions: Use the Foreign Narcotics Kingpin Act and related tools to freeze assets and bar cartel associates from the global financial system.
    • AML enforcement: Monitor wire transfers, front companies, trade-based laundering, and crypto flows.
    • Asset forfeiture: Seize properties, accounts, and equipment tied to trafficking.
    • Gatekeeper accountability: Extend AML requirements to lawyers, accountants, and company formation agents who unintentionally aid laundering.
    Source: https://www.fbi.gov/news/stories/operation-targets-sinaloa-drug-cartel-

    Pressure the Supply Chains

    Without precursor chemicals, weapons, and reliable transport, cartel profits collapse.

    • Precursor controls: Tight licensing, end-user declarations, and transaction reporting for fentanyl and meth ingredients.
    • Transport disruption: Increase inspections at land, sea, and air points. Use risk-scoring for parcels and coordinated seizures to impose losses.
    • Weapon flow prevention: Enforce straw purchase laws, track high-volume ammo sales, and inspect southbound cargo for firearms.
    Map illustrating the flow of fentanyl precursors from China to the U.S., Mexico, and Canada, highlighting the trafficking routes used by drug cartels. Source: https://www.heritage.org/china/report/holding-china-and-mexico-accountable-americas-fentanyl-crisis

    Strengthen Law Enforcement and Legal Tools

    Treat cartels as the national security threat they are.

    • Legal designations: Label major cartels as Foreign Terrorist Organizations to unlock broader prosecution authorities.
    • Multi-charge prosecutions: Use corruption, extortion, racketeering, and terrorism statutes alongside drug laws.
    • Joint task forces: Expand US-Mexico intelligence-sharing, vetted police units, and targeted extraditions.

    Undercut Recruitment

    Cartels can replace jailed or killed members quickly. Cutting off their manpower is essential.

    • Economic investment: Develop infrastructure, job opportunities, and vocational training in high-risk regions.
    • Community programs: Support local leadership, protect activists, and fund youth initiatives.
    • Public messaging: Counter the narco “glamor” with real accounts of cartel life and its short, violent reality.
    • Exit pathways: Offer reduced sentences or amnesty for low-level members who defect.
    Map illustrating the narcotics trafficking flows and operational zones of major cartels in Mexico, highlighting cities of concentration and ports of entry. Source: https://www.start.umd.edu/tracking-cartels-infographic-series-major-cartel-operational-zones-mexico

    Leveraging Technology and Intelligence

    Modern cartels use drones, encrypted comms, and cyber tools; the response must be smarter.

    • Surveillance: Deploy drones, thermal imaging, and satellite analytics to detect labs, routes, and cultivation sites.
    • Data analysis: Use AI to flag suspicious trade, travel, or financial activity linked to trafficking networks.
    • Cyber disruption: Infiltrate encrypted networks, disable cartel IT infrastructure, and track crypto transactions.
    • Fusion centers: Integrate federal, state, and Mexican partners to rapidly act on shared intelligence.
    Members of the Jalisco New Generation Cartel in Michoacán State, Mexico, in 2022. Source: https://www.nytimes.com/2025/06/30/world/americas/sinaloa-cartel-mexico.html

    Conclusion

    Cartels are resilient because they operate across multiple domains: finance, logistics, community, and technology. Disrupting one area temporarily hurts them; attacking all at once can slowly erode their power. The US can combine financial sanctions, supply chain disruption, legal pressure, recruitment prevention, and intelligence innovation into a long-term strategy. Success will not be a single decisive victory, but a steady squeeze that makes cartel operations unprofitable and unsustainable.

  • Iranian APTs and the Next Phase of Infrastructure Risk

    Iranian APTs and the Next Phase of Infrastructure Risk

    In the wake of escalating tensions in the Middle East this past spring, Iranian state-sponsored hackers turned their focus toward a new frontier: US critical infrastructure.

    From May through June 2025, cybersecurity telemetry revealed a 133% surge in Iran-attributed cyber activity targeting US industrial and operational technology (OT) environments. These campaigns hit transportation and manufacturing sectors, but energy and water infrastructure remain long-standing targets. While espionage remains a primary objective, the evidence increasingly suggests Iran is preparing for more overt disruption.

    Strategic Escalation

    Iran’s cyber posture has always mirrored its geopolitical environment. In Spring 2025, that meant responding to Israeli and US airstrikes with asymmetric cyber operations. Groups like APT33 (Elfin), APT34 (OilRig), and MuddyWater (Static Kitten) ramped up traditional espionage, while more aggressive actors like CyberAv3ngers and Fox Kitten (tied to recent Pay2Key.I2P ransomware operations) pursued OT-focused sabotage and ransomware deployment.

    Iran’s messaging through pseudo-hacktivist fronts and deepening ties with ransomware operators clearly framed this activity as retaliation for “Western aggression.” That framing is part of a broader Iranian cyber doctrine that views critical infrastructure compromised as a form of coercion and deterrence.

    In parallel with APT activity, pro-Iranian hacktivists ramped up operations against US defense and critical infrastructure sectors. Groups like “Mr. Hamza” claimed responsibility for defacing and leaking data tied to defense contractors, including Raytheon technologies (RTX), following US involvement in strikes against Iranian facilities. While attribution remains murky, these operations often mirror Iranian state objectives and timelines, suggesting coordination or at least ideological alignment. The targeting of US DIB entities serves Tehran’s broader goal of projecting reach and retaliation across both digital and strategic domains.

    Pre-Positioning

    Iran’s shift toward OT environments is the most significant development.

    • MuddyWater and APT33 continued to exfiltrate intellectual property from manufacturing and defense-adjacent industries.
    • CyberAv3ngers targeted water control systems and other ICS devices with their custom malware, IOControl, discovered embedded in US and allied OT environments.
    • Fox Kitten evolved into a ransomware-as-a-service operator with an 80% (up from 70%) profit-share for affiliates targeting the US or Israel.

    Alongside collecting information, these actors are also establishing persistence. In many cases, backdoors were quietly planted and left dormant; signaling an intent for future activation should the need arise.

    ActorAffiliationFocusObjective
    MuddyWaterMOISAerospace & Defense, Utilities, Gov, Civil & NGOsEspionage
    APT33IRGCAerospace & Defense, Energy, Gov, HealthcareEspionage and Access
    CyberAv3ngersIRGCWater, ICS, FinanceDisruption
    Fox KittenUnkownIT/OT GatewaysRansomware-as-a-service
    OilRigMOISFinance, GovCredential Theft

    Implications for the US DIB

    Iran’s campaigns are displaying a willingness to target logistics, aerospace, and manufacturing suppliers that support US and Israeli defense sectors. The Defense Industrial Base (DIB) should expect more of this; not only from state-sponsored actors, but from criminal or hacktivist affiliates acting on behalf of Iran’s IRGC or MOIS cyber arms.

    Some immediate implications:

    • DIB contractors should hunt for Iranian TTPs and malware like IOControl and DNSpionage.
    • OT segmentation, remote access policies, and endpoint hygiene are foundational.
    • Incident response (IR) planning must include scenario-based escalation modeling: what happens if the access Iran gains today becomes a wiper event tomorrow?

    US Response: Shields Up

    Initially, the federal response may have felt quieter than prior cyber alerts like those during the Ukraine conflict but the signals were still there.

    On LinkedIn, Jen Easterly, former CISA Director, reactivated the Shields Up mantra within hours of US strikes on Iranian nuclear sites. Her post explicitly warned US critical infrastructure operators to expect:

    • Credential theft and phishing
    • ICS-specific malware
    • Wipers masquerading as ransomware
    • Propaganda-laced hacktivist campaigns

    Easterly urged sectors to segment OT networks, patch internet-facing systems, enforce MFA, rehearse ICS isolation, and actively monitor ISAC channels.

    The various critical infrastructure-related ISACs followed suit. And while no single campaign bannered over the response, the defense posture matched the moment.

    Jen Easterly emphasizes the importance of cybersecurity vigilance for US critical infrastructure in response to recent Iranian cyber activities.

    So What’s Next?

    Iran’s recent activity represents a shift in focus, not necessarily a shift in capability. The targeting of OT environments and critical infrastructure may reflect aspirational doctrine as much as operational readiness. While there’s no conclusive evidence that Iranian actors have staged disruptive payloads in U.S. networks, the direction of their targeting and tooling, particularly the development of ICS and OT-specific malware, suggests a growing interest in operational disruption, and not just information gathering.

    For the US defense and critical infrastructure communities, this creates a clear mandate to prepare for the next phase before it arrives.

    • Monitor beyond the perimeter: Iranian threat actors have historically gained access through default credentials, exposed devices, and lateral movements through flat networks.
    • Expect dual-use operations: Intelligence collection and pre-positioning are not mutually exclusive.
    • Reassess assumptions: Iranian groups are traditionally viewed as less sophisticated than Russian or Chinese APTs, but recent coordination and tooling suggest they’re evolving quickly.

    In short, we’re seeing a doctrinal pivot. Iran is exploring offensive options in OT environments, and testing how far it can go without triggering escalation. This makes detection, attribution, and sector-wide coordination more important than ever.

    References

    https://www.nozominetworks.com/blog/threat-actor-activity-related-to-the-iran-conflict

    https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol

    https://www.cisa.gov/news-events/news/joint-statement-cisa-fbi-dc3-and-nsa-potential-targeted-cyber-activity-against-us-critical

    https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025

  • Russia’s Void Blizzard Targets the West’s Digital Backbone

    Russia’s Void Blizzard Targets the West’s Digital Backbone

    Microsoft Threat Intelligence has surfaced a new Russia-affiliated cyber actor: Void Blizzard, also tracked as LAUNDRY BEAR. Active since at least April 2024, this group is focused on long-term espionage targeting sectors critical to Western governments, infrastructure, and policy-making.

    Void Blizzard is not just another APT clone or cluster moniker. It represents an evolution in operational flexibility and tradecraft, shifting from relying on stolen credentials bought off the dark web to more aggressive adversary-in-the-middle (AitM) phishing campaigns. These newer efforts leverage typosquatted domains mimicking Microsoft Entra portals to harvest authentication tokens and compromise enterprise identities.

    Target Profile

    Void Blizzard’s campaign focus aligns closely with Russian state priorities. It has gone after targets in:

    • Defense and government agencies
    • Transportation and healthcare infrastructure
    • NGOs, education institutions, and intergovernmental organizations
    • Media and IT service providers

    While some activity overlaps with known Russian actors like APT29, Void Blizzard appears to operate as a distinct cell, coordinating within a larger ecosystem of state-sponsored espionage.

    Notable Tactics

    • Credential-based access remains a preferred entry point, but the shift to AitM phishing is a signal of increasing confidence and offensive posture.
    • Microsoft Entra impersonation suggests a deliberate focus on trusted identity systems, highlighting how fragile authentication flows can be under targeted pressure.
    • Operational consistency across NATO states and Ukraine further indicates strategic alignment with geopolitical goals, not just opportunistic targeting.

    Analyst Comments

    If you’re in defense, energy, public health, or civil society work, Void Blizzard’s tradecraft should raise alarm bells. Organizations should be:

    • Auditing Entra ID and authentication logs for anomalies tied to session replay or suspicious SSO activity
    • Deploying phishing-resistant MFA such as FIDO2 keys
    • Training users to identify lookalike URLs and domain spoofing, particularly in password reset or login prompts
    • Tracking overlaps with other Russian campaigns, especially Star Blizzard and Midnight Blizzard, to catch infrastructure reuse or strategic convergence

    Final Thoughts

    Void Blizzard is not flashy, but it is serious. It demonstrates how Russia continues to evolve its cyber espionage toolkit beneath the noise of more destructive attacks. In an era of hybrid conflict, groups like Void Blizzard are the quiet operatives laying groundwork for geopolitical advantage. They definitely won’t be the last.

    See Microsoft’s full report: https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/

  • [Deep Dive] Cyber Tactics and Counterterrorism Post-9/11

    [Deep Dive] Cyber Tactics and Counterterrorism Post-9/11

    Disclaimer: This research uses data derived from open-source materials like public intelligence assessments, government publications, and think tank reports. This report is based solely on my personal insights and independent analysis. It does not contain any sensitive or classified information and does not reflect the views of my employer. This report’s purpose is to serve as an exercise in analysis and critical thinking. 

    Introduction

    Since 9/11, the global terrorism threat landscape has expanded from traditional kinetic attacks to include cyber approaches. Terrorist groups like Al-Qaeda, ISIS, Hamas, and Hezbollah have increasingly adopted digital tools for propaganda, recruitment, surveillance, and humble cyber operations. This shift has pressured counterterrorism (CT) strategies to evolve, integrating cybersecurity, intelligence, and offensive capabilities to address both physical and digital threats.

    Evolution of Terrorist Cyber Capabilities

    In the early 2000s, jihadist groups used the internet mainly for communications and propaganda. By 2014, ISIS had transformed its online presence by actively exploiting social media and encrypted messaging apps to recruit followers, spread propaganda, and coordinate activity beyond traditional battlefields. Though their cyber skills remained limited, some supporters engaged in doxing (public release of personal information), defacements, and minor breaches. A notable case involved a Kosovo hacker passing stolen U.S. personnel data to ISIS [1]. More recently, terrorist networks have begun experimenting with AI tools for media production, reconnaissance, recruitment, and influence operations.

    Groups like ISIS-K, Hamas, and Hezbollah have explored AI-generated videos and deepfakes to amplify their messaging. Hamas has also used fake dating apps to hack phones, and Hezbollah has engaged in cyber espionage aligned with Iranian interests. These adaptations primarily support propaganda and recruitment, not large-scale cyberattacks.

    Traditional vs Cyber Terrorism

    Cyber capabilities have not replaced traditional terrorism but serve as force multipliers. Cyber tools are used to support kinetic attacks, plan operations, and magnify impact. Examples include cyber-assisted target identification and using drones for surveillance or attacks. Analysts conclude that terrorists aim to pair physical destruction with digital disruption. These tactics are not unique to the narrow view of Middle Eastern, or Islamic extremist, terrorist groups, but are also employed by modern Russian intelligence supporting their war with Ukraine.

    Counterterrorism Strategy Shifts

    1. Cybersecurity integration: Governments treat cyber as central to CT. Coordination between state agencies and the private sector protects critical infrastructure (ISACs, CISA, Infragard, etc).
    2. Digital Intelligence and Surveillance: Intel agencies use AI and data analytics to monitor online radicalization and terrorist planning. Tools flag extremist content and behaviors on encrypted platforms.
    3. Offensive Cyber Operations: States have launched direct cyberattacks on terrorist infrastructure. Operation Glowing Symphony by US Cyber Command disrupted ISIS media operations [2].
    4. Online Radicalization Prevention: Governments promote alternative narratives and partner with communities to counter online extremism.
    5. Infrastructure Protection and Crisis Response: CT planning now includes simulations of cyber-physical attacks. Agencies collaborate to ensure emergency response continuity.

    Persistent Challenges

    One of the primary challenges in countering cyber-assisted terrorism is actor attribution. In cyberspace, it is often difficult to determine who is behind an attack, especially when threat actors use anonymization techniques or false flag operations. A disruption to infrastructure or a breach of data originate from a lone hacker, a terrorist cell, or a hostile state, complicating response strategies and legal recourse. This ambiguity forces intelligence agencies to closely examine digital footprints, motives, and affiliations before responding, often in real time.

    Resource limitations and skill gaps also slow down effective CT operations in cyber. Traditional law enforcement and CT units often lack the deep technical expertise needed to triage malware, decrypt communications, or conduct forensics on seized devices. Recruiting and retaining cyber talent remains difficult for public agencies, especially as adversaries continue to innovate rapidly using widely available technology. The widespread use of encrypted communication platforms like Telegram and Signal compounds the problem, allowing terrorists to organize and recruit while remaining hidden from surveillance.

    Another pressing issue is the overwhelming volume of data. Every day, analysts must sift through massive amounts of online content to detect meaningful threats. AI tools can assist but are prone to false positives and blind spots, sometimes flagging harmless content or missing cleverly disguised plots. Legal and jurisdictional barriers further complicate enforcement efforts, especially when attackers operate across multiple countries. Existing laws are often outdated or inconsistent with the pace of modern cyber threats. Finally, terrorist groups remain highly adaptive, quickly shifting tactics, platforms, and tools in response to enforcement measures. This constant innovation challenges even the most capable security agencies, requiring them to remain agile and proactive in their strategies.

    Conclusion/Policy Implications

    Cyberterrorism has not replaced traditional terrorism but increasingly complements it. CT efforts now require a holistic approach integrating digital capabilities with conventional methods. Policymakers should focus on:

    • Cross-sector partnerships
    • Legal modernization
    • Investment into talent and tech
    • Infrastructure resilience

    The post-9/11 period demonstrates that success in CT depends on anticipating how terrorists will exploit emerging technologies and being ready to disrupt both their online and offline operations.

    References

    [1] Doxing and Defacements: Examining the Islamic State’s Hacking Capabilities – Combating Terrorism Center at West Point

    [2] https://icct.nl/sites/default/files/2023-01/Chapter-29-Handbook-.pdf

    https://icct.nl/publication/exploitation-generative-ai-terrorist-groups

    https://www.theguardian.com/world/2018/jul/03/israel-hamas-created-fake-dating-apps-to-hack-soldiers-phones

    https://www.dhs.gov/sites/default/files/2024-10/24_0930_ia_24-320-ia-publication-2025-hta-final-30sep24-508.pdf

  • COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    COLDRIVER’s New LOSTKEYS Malware Targets Western Officials

    Summary

    Between Jan and Apr 2025, suspected Russian FSB-linked threat group COLDRIVER delivered LOSTKEYS malware using a fake CAPTCHA to target Western officials, journalists, think tanks, and NGOs.

    Russian Threat Group COLDRIVER Deploys LOSTKEYS Malware Targeting Western Entities

    The Russian state-sponsored threat group, COLDRIVER (aka UNC4057, Callisto, and Star Blizzard), has expanded its cyberespionage toolkit with the additional of a new malware strain dubbed LOSTKEYS. According to Google’s Threat Intelligence Group (GTIG), this development marks a significant evolution from COLDRIVER’s usual credential phishing tactics to more sophisticated malware development.

    Evolution of Tactics

    Historically, COLDRIVER focused on credential phishing campaigns targeting high-profile individuals in NATO governments, NGOs, and former intelligence and diplomatic officials. The threat group’s primary objective has been intelligence collection in support of Russian strategic interests. More recent activities observed in early-2025 indicate a shift towards deploying more custom malware to further enhance their data exfiltration capabilities.

    Introduction of LOSTKEYS

    LOSTKEYS was designed to steal files from predefined directories and file types, as well as send system information and running processes back to the threat actors. The malware is delivered through a multi-stage infection chain that begins with a lure website featuring a fake CAPTCHA. Once a target interacts with the CAPTCHA, they’re then prompted to execute a PowerShell script, starting the malware installation process. This method, known as “ClickFix”, involves socially engineering targets to copy, paste, and execute malicious PowerShell commands. The technique has been gaining increased notoriety as various other threat actors have begun leveraging it.

    Targets and Objectives

    COLDRIVER’s recent campaigns have targeted current and former advisors to Western governments, militaries, journalists, think tanks, NGOs, and individuals connected to Ukraine. The group’s operations aim to gather intelligence that aligns with Russian strategic interests. In some cases, COLDRIVER has been linked to hack-and-leak campaigns targeting officials in the UK and NGOs.

    Analyst Comments:

    The evolution of COLDRIVER from basic credential phishing to deploying custom malware like LOSTKEYS emphasizes a broader trend in Russian cyberespionage: the increasing willingness to burn bespoke tools in pursuit of higher value intelligence collection. The shift seems to suggest mounting pressure on Russian intelligence services to deliver actionable insights amid ongoing geopolitical tensions, particularly related to NATO support for Ukraine and Western policy responses.

    Through their targeting of advisors, think tanks, and NGOs, COLDRIVER is focusing on influencers and policy shapers, not just government officials. This indicates a strategic effort of preempting or shaping foreign policy decisions. Their adoption of techniques like ClickFix also signals an emphasis on user-driven execution, a smart bypass of traditional email defenses and endpoint controls. As we’ve seen in the past, employees are the weakest link in an organization’s security posture.

    For us network defenders, this campaign highlights the importance of defense-in depth strategies, user education (a must), and proactive threat hunting. The fact that COLDRIVER now deploys malware directly onto victim systems raises the stakes for organizations previously focused only on account compromise prevention.

    In short, COLDRIVER’s operational pivot is just another reminder that cyberespionage groups adapt faster than most defensive postures. Organizations in policy-adjacent sectors should assume they are in the targeting scope, even if they don’t handle classified information, and adjust security postures accordingly.

    Reference(s) and Further Reading:

    https://cloud.google.com/blog/topics/threat-intelligence/coldriver-steal-documents-western-targets-ngos

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

    https://home.treasury.gov/news/press-releases/jy1962

  • The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    The Escalation of GRU Unit 29155: Espionage and Sabotage Tactics

    Disclaimer: This post is based on unclassified, open-source reporting and reflects my personal analysis and interpretations. The views expressed here are my own and do not represent the views or positions of my employer.

    Background

    Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia’s asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations.

    Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage.

    Primary TTPs

    • Espionage and Data Theft
      • Unit 29155 conducts extensive espionage campaigns aimed at gathering intelligence from NATO countries, European union members, and multiple nations in Latin America and Central Asian. They’ve exploited critical infrastructure and government systems leveraging reconnaissance tools like Nmap and Shodan to scan for vulnerabilities and gather intelligence [2].
      • Sensitive information obtained through these operations are occasionally leaked or shared publicly in order to damage the reputations of their victims as part of influence efforts [3].
    • Destructive Operations
      • Unit 29155 was tracked as the group deploying the destructive WhisperGate malware, disguised as ransomware but meant to erase victim data. This wiper was used in targeting of Ukrainian governmental and critical infrastructure entities. This activity provided evidence of a clear shift to sabotage tactics aligned with Russian military objectives early in the Russia/Ukraine conflict.
      • Destructive attacks have also been directed towards logistics operations supporting Ukraine, as seen in repeated attacks against infrastructure crucial to NATO and EU support for Ukraine [2].
    • Infrastructure Scanning/Domain Enumeration
      • Unit 29155 engaged in over 14,000 documented cases of domain scanning, targeting NATO infrastructure and EU entities. The scanning has been described as preparatory, often identifying weak points for later exploitation efforts. Open-source and custom tools like Acunetix, WPScan, and VirusTotal were commonly used for this reconnaissance [3].
    • Cybercriminal Overlap
      • Not wholly unique to Unit 29155, but rather the broad spectrum of Russian state-sponsored APT groups, researchers report collaboration with known cybercriminal elements, employing non-GRU actors to facilitate operations. This working relationship extends the group’s reach and allows it to exploit technical expertise outside formal military ranks while obscuring attribution. It is also believed that this particular unit consists of primarily junior personnel and so may operate at a less sophisticated level than other groups like APT28 or APT29 [4].

    Mitigations and Recommendations

    Cyber defenders across critical sectors are encouraged to implement mitigations against known tactics:

    • Prioritize patching of known vulnerabilities and enforce multi-factor authentication (MFA).
    • Monitor networks for unusual scanning or reconnaissance activity and segment networks to mitigate lateral movement, post infiltration.
    • Use intrusion detection tools to monitor for technical indicators of compromise (IOCs) relating to Unit 29155.

    Unit 29155’s evolution highlights a blend of traditional espionage with enhanced cyber and sabotage capabilities, particularly in relation to high-stakes geopolitical targets. The expanded use of cyber tactics show the importance for affected nations and organizations to maintain vigilance and robust cyber defenses.

    References

    [1] https://www.fbi.gov/wanted/cyber/gru-29155-cyber-actors

    [2] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3895808/%5B3%5D https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-military-cyber-actors-target-us-and-global-critical-infrastructure

    [4] https://www.rferl.org/a/germany-gru-russia-cyber-warning/33112764.html