Russia’s Most Notorious Special Forces Unit Now Has Its Own Cyber Warfare Team

Russia’s military intelligence agency, the GRU, has long had a reputation as one of the world’s most aggressive practitioners of sabotage, assassination, and cyber warfare, with hackers who take pride in working under the same banner as violent special forces operators. But one new group within that agency shows how the GRU may be intertwining physical and digital tactics more tightly than ever before: a hacking team, which has emerged from the same unit responsible for Russia’s most notorious physical tactics, including poisonings, attempted coups, and bombings inside Western countries.

A broad group of Western intelligence agencies on Thursday revealed that a hacker group known as Cadet Blizzard, Bleeding Bear, or Greyscale—one that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America—is in fact part of the GRU’s Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro.

Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators—distinct from those within other GRU units such as Unit 26165, broadly known as Fancy Bear or APT28, and Unit 74455, the cyberattack-focused team known as Sandworm. Since 2022, GRU Unit 29155’s more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit Ukrainian organizations on the eve of Russia’s February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian.

Cadet Blizzard’s identification as a part of GRU Unit 29155 shows how the agency is further blurring the line between physical and cyber tactics in its approach to hybrid warfare, according to one of multiple Western intelligence agency officials whom WIRED interviewed on condition of anonymity because they weren’t authorized to speak using their names. “Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official says. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.”

Beyonds its previously known operations against Ukraine, Western intelligence agency officials tell WIRED that the group has also targeted a wide variety of organizations in North America, Eastern and Central Europe, Central Asia, and Latin America, such as transportation and health care sectors, government agencies, and “critical infrastructure” including “energy” infrastructure, though the officials declined to offer more specific information. The officials told WIRED that in some cases, the 29155 hackers appeared to be preparing for more disruptive cyberattacks akin to Whispergate, but didn’t have confirmation that any such attacks had actually taken place. The US Department of State in June separately revealed that the same GRU hackers who carried out Whispergate also sought to find hackable vulnerabilities in US critical infrastructure targets, “particularly the energy, government, and aerospace sectors.”

In many cases, the 29155 hackers’ intention appeared to be military espionage, according to Western intelligence agency officials. In a Central European country, for instance, they say the group breached a railway agency to spy on train shipments of supplies to Ukraine. In Ukraine itself, they say, the hackers compromised consumer surveillance cameras, perhaps to gain visibility on movement of Ukrainian troops or weapons. Ukrainian officials have previously warned that Russia has used that tactic to target missile strikes, though the intelligence officials who spoke to WIRED didn’t have evidence that 29155’s operations specifically had been used for that missile targeting.