Historically, the Russian GRU military unit 29155 (VCh 29155, 161st Specialist Training Center) has been involved in active measures such as subversion, assassinations or sabotage. Recall that Soviet or Russian active measures refer to covert operations with the aim of influencing the policy or public opinion of third countries. These measures include from activities in cyberspace to “wet stuff” (assassinations, blackmail, sabotage…). Other famous operations of this unit include the sabotage of an arms depot in Czech Republic (2014), a coup in Montenegro (2016) or the attempted poisoning of the Skripals in Salisbury (2018).
Although unit 29155 was known to analysts, its existence jumped to generalist media when this unit was accused of being the cause of the “Havana Syndrome”. This syndrome was identified among U.S. and Canadian diplomats and intelligence personnel stationed in Cuba, in 2016, and its symptoms were replicated in other parts of the world. These symptoms include visual problems, vertigo or cognitive difficulties that manifest, according to those affected, after hearing strange sounds. Since the discovery of Havana syndrome, its origin has been controversial. Different studies have associated it with Russian intelligence activities related to new-generation weaponry, from acoustic weapons to directed energy.
In 2023, five U.S. intelligence agencies published their findings following an investigation into the origin and nature of Havana syndrome. These conclusions stated that it was “highly unlikely” that the symptoms were caused by sound or microwaves, or that a hostile actor was involved in causing the syndrome. The report concluded that Havana syndrome was a mixture of previous health problems, environmental factors and stress reactions of people with symptoms. However, a year after the U.S. intelligence report was published, in April 2024, a journalistic investigation concluded that the syndrome was caused by acoustic weapons, in an operation by Russian GRU unit 29155.
Neither the intelligence community nor the scientific community has reached a consensus on the causes of Havana syndrome. The involvement of unit 29155 is at least debatable. However, the relationship of this unit to other operations in the physical realm seems beyond doubt.
But in addition to these physical operations for which we knew unit 29155, this GRU unit has recently been identified as a relevant actor in cyberspace that executes operations of exploitation, but particularly, of attack to critical infrastructures of NATO members, European countries, Latin America and Central Asia. Unit 29155 is probably the APT Ember Bear group, and has been conducting operations in cyberspace since 2020. In 2022 this unit deployed the destructive malware WhisperGate on Ukrainian victims (it is important to note that disruptive operations in cyberspace are aligned with the historical objectives and physical sabotage capabilities of unit 29155.
About a month ago, the U.S. Justice identified unit 29155 as a hostile actor in cyberspace linked to the GRU, but independent of units 26165 and 74455. Additionally, the indictment detailed the collaboration of non-GRU individuals, such as cyber criminals, in the service’s operations. The FBI has even released a “most wanted” poster with the identified members of unit 29155, as shown in the image and as it did in the past with members of units 26165 and 74455.
Compared to the analysis of military units 26165 and 74455, the case of unit 29155 is particularly relevant for three main reasons. The first is the “birth” of a new unit involved in cyberspace operations. Not the discovery (probably, more GRU units other than 26165 and 74455 have cyber capabilities), but the birth: a unit historically tied to physical operations is endowed with cyber capabilities in 2020, with a small group of junior officers possibly recruited from CTF competitions and associating with criminal groups. Why? Probably, this reflects the competitiveness of Russian intelligence, not only between different services but between units within each of them. Is unit 29155 coordinated with other “cyber” units, such as 26165 or 74455? Are they independent military units? At the moment, it is not known.
The second noteworthy point about unit 29155 is that it executes active measures in both the physical and cyber domains, highlighting the Russian Information Confrontation posture. Historically unit 29155 has been an operational unit tied to active measures in the physical realm, particularly “wet stuff.” Now it has been discovered, allegedly, the expansion of its capabilities to cyberspace, in operations of exploitation but, particularly, of attack -sabotage-. Since September 2024 it is possible to confirm that the GRU is blurring the line between physical and cyber tactics in its approach to hybrid warfare, as marked by Russian military doctrine on a theoretical level.
The last of the relevant points we referred to is the cooperation with the service of actors outside the GRU. The U.S. indictment identifies both service agents and a civilian, Amin Timovich STIGAL. STIGAL is a Russian cybercriminal who had previously been identified by the U.S. justice system, which charged him with “conspiracy to commit computer intrusions”. The recent indictment against members of unit 29155 alleges that STIGAL supported the unit’s activities by providing infrastructure for those activities. The use of non-STIGAL personnel provides yet another example of the complexity of the Russian intelligence ecosystem and collaboration between entities (a topic we discussed years ago on this blog). Unit 29155 has collaborated with third parties in the execution of physical active measures: some of the best known examples are the alleged relations with the Wagner group. Now, it seems to be confirmed that this collaboration extends to the cyber domain.
Surely more military units and GRU capabilities in cyberspace will eventually see the light of day in the medium term. The cyber battlefield is becoming more and more interesting.
Speak Your Mind