Full Report
The three Russian hackers are believed to be part of Unit 29155 of the GRU, also known as Cadet Blizzard, Ember Bear and Ruinous Ursa
Analysis Summary
# Threat Actor: Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov (GRU Unit 29155)
## Attribution & Identity
The threat actors are three Russian nationals: Nikolay Korchagin, Vitaly Shevchenko, and Yuriy Denisov.
They are identified as members of the Russian General Staff Main Intelligence Directorate (GRU) **161st Specialist Training Center (also known as Unit 29155)**.
## Activity Summary
The individuals were sanctioned by the Council of the EU for their involvement in a **2020 cyber espionage operation targeting Estonian government agencies**. The operation involved conducting cyber-attacks with a significant effect, directed against Estonia, to gain illegal access to computer systems.
## Tactics, Techniques & Procedures
- Conducting intelligence activities directed against Estonia.
- Illegally gaining access to computer systems.
- Breaching several Estonian ministries, including the **Ministry of Economic Affairs and Communications** and the **Ministry of Social Affairs**.
- *Specific TTPs or MITRE ATT&CK IDs were not detailed in the provided context beyond the high-level description of espionage and unauthorized access.*
## Targeting
- **Sectors:** Government/Public Administration (Ministries).
- **Geography:** Estonia.
- **Victims:** Estonian government agencies, specifically the Ministry of Economic Affairs and Communications and the Ministry of Social Affairs.
## Tools & Infrastructure
- **Malware families used:** Not specified in the context.
- **Infrastructure (C2, domains, IPs):** Not specified in the context.
## Implications
The imposition of EU sanctions against these individuals highlights a recognized pattern of Russian state-sponsored cyber espionage activities targeting EU member states, specifically focusing on intelligence gathering against critical government functions. This suggests an ongoing, persistent cyber threat from GRU-affiliated units toward European national institutions.
## Mitigations
- Enhanced security monitoring and incident response protocols within Estonian government ministries.
- Strict access controls and segmentation to limit lateral movement following successful intrusions into ministerial networks.
- Continuous monitoring for indicators related to known GRU/Unit 29155 activity against similar government targets.