GRU: Military Unit 54777

29 de January de 2025 Por Leave a Comment

The main units of the Russian GRU engaged in cyberspace operations have been discussed in this blog: from our old posts (from 2018) about unit 26165 and 74455, to the recent rise of unit 29155. All these units have something in common, in addition to their cyberspace capabilities: they have been assigned an APT group name. Military unit 26165 is commonly referred as APT28, while unit 74455 is known as Sandworm Team and unit 29155 is named Ember Bear (please note the mess about APT groups nomenclature, referred in this blog). However, not all GRU units operating on cyberspace have the honor of being assigned an APT group. In this post, unit 54777 is presented, a GRU military unit engaged in PSYOP -also through cyberspace- but, until now, without a particular common name.

Soviet Union, and now Russia, has a long history on disinformation and psychological warfare. In fact, Information Confrontation’s aim is to influence the perception and behavior of the enemy, population, and international community. Psychological warfare has been used since the roots of Soviet intelligence by spymaster and Cheka founder Felix DZERZHINSKI, to the current Ukrainian conflict. Just a fact to highlight the relevance of psychological warfare in modern Russia: Aleksandr Gennadyevich STARUNSKY, a former commander of military unit 54777, was appointed by Vladimir PUTIN to the Scientific Council, under the Security Council of the Russian Federation.

Soviet GRU, and whole Soviet Red Army, considered special propaganda as part of their active measures. Although propaganda was supposed to influence on enemy troops, the Soviet regime used it to strengthen the spirit of its own troops. When Soviet Union collapsed, the Special Propaganda Directorate, responsible for military psychological operations, were transferred into the GRU, and few years later, in 1994, it was established as military unit 54777. This transference was not only a bureaucratic question: it made Russian PSYOP more aggressive than they were during Soviet times. While in Soviet times special propaganda units operated only during military operations, with this transference operations began to be carried out “in peace time and war time”.

Military unit 54777 (VCh 54777, 72nd Special Service Center, 72nd Main Intelligence Information Center -GRITs- or Foreign Information and Communications Service), is still responsible for the GRU’s PSYOP. A detailed description of this unit, together with historical Soviet propaganda efforts and current Russian psychological warfare, can be found on Agentura website and on Aquarium Leaks (Inside the GRU’s Psychological Warfare Program).

Among its most notable operations, unit 54777 has been involved in disinformation campaigns related to the 2014 annexation of Crimea, to the Syrian civil war and to the Ukraine conflict. In peace time, this unit has been involved in propaganda campaigns during elections in Europe and in the United States, as well as in disinformation campaigns related to COVID-19 pandemic.

In addition to conventional PSYOP, unit 54777 includes both SIGINT and cyberspace capabilities. Related to SIGINT, unit 54777 gathers and analyzes communications to produce intelligence that can be used in further disinformation and influence campaigns. In the cyber arena, this unit works complementing Cyberspace Operations not only with digital PSYOP: its activities include operating in support of other GRU cyber units, creating and disseminating fake versions of their cyberspace operations, as well as operating on the tactical level by conducting electronic warfare and psychological operations.

Unit 54777 conducts most of its online operations through social media, an activity which began with the Maidan revolution. In addition to social media, this unit engages in spreading disinformation and manipulating public opinion through online digital platforms and public forums. It works through several front organizations, including InfoRos and the Institute of the Russian Diaspora, founded by Aleksandr Gennadyevich STARUNSKY. These are “information agencies” focused on political, economic and social life in the Russian Federation and other ex Soviet Republics, posting both in Russian and in English.

Probably, unit 54777 is located within the GRU 12th Directorate, which focuses on information operations. It is believed that unit 54777 is overseen by unit 55111. In fact, Aleksandr Gennadyevich STARUNSKY, former commander of unit 54777, was the deputy commander of unit 55111 when he was appointed to the Scientific Council. According to open sources, military unit 54777 has, or has had, different subordinate units performing PSYOP in every Russian military district in addition to the Moscow one:

  • PSYOP Leningrad Military District, military unit 03126, located in Leningrad region.
  • PSYOP Central Military District, military unit 03138, located in Yekaterinburg.
  • PSYOP Southern Military District, military unit 03128, located in Rostov-on-Don.
  • PSYOP Eastern Military District, military unit 03134, located in Khabarovsk.

A characteristic feature of all these units is their emblem: a combination of the international symbol for psychology, Y (“Psi”), and a red carnation, the heraldic symbol of Russian military intelligence, as shown in image (from Agentura website):

GRU: military unit 29155

11 de October de 2024 Por Leave a Comment

Historically, the Russian GRU military unit 29155 (VCh 29155, 161st Specialist Training Center) has been involved in active measures such as subversion, assassinations or sabotage. Recall that Soviet or Russian active measures refer to covert operations with the aim of influencing the policy or public opinion of third countries. These measures include from activities in cyberspace to “wet stuff” (assassinations, blackmail, sabotage…). Other famous operations of this unit include the sabotage of an arms depot in Czech Republic (2014), a coup in Montenegro (2016) or the attempted poisoning of the Skripals in Salisbury (2018).

Although unit 29155 was known to analysts, its existence jumped to generalist media when this unit was accused of being the cause of the “Havana Syndrome”. This syndrome was identified among U.S. and Canadian diplomats and intelligence personnel stationed in Cuba, in 2016, and its symptoms were replicated in other parts of the world. These symptoms include visual problems, vertigo or cognitive difficulties that manifest, according to those affected, after hearing strange sounds. Since the discovery of Havana syndrome, its origin has been controversial. Different studies have associated it with Russian intelligence activities related to new-generation weaponry, from acoustic weapons to directed energy.

[Read more…]

Proximity operations in cyberspace

11 de June de 2024 Por

In the field of cyberspace operations, most attack or exploitation operations are remote, i.e. they are carried out using technologies that allow the hostile actor not to be physically close to its target: access via VPN, a malicious email or link that installs an implant in the victim, a remote vulnerability that is successfully exploited, etc. But a small percentage of operations require a physical approach between the hostile actor and its target: these are proximity operations, also called Sneaker Operations or CACO (Close Access Cyberspace Operations).

Crypto AG CX-52. Fuente: WikiPedia.

When not everything was connected to the Internet, proximity operations were almost the only way to access the target’s systems or information; to steal information you had to place a bug or a camera by sneaking into a building at night, modifying a supply chain or placing yourself in a building across the street from the target’s premises, to give a few examples. Some of the signals intelligence acquisition actions required this proximity, and this proximity obviously implied a significant risk of being neutralized, with all the implications that this neutralization can have. Some well-known examples of proximity operations for signals intelligence acquisition involve (allegedly) the French DGSE implanting bugs in the business seats of Air France flights between Paris and New York, the Soviets (allegedly) giving a Great Seal with an implant to the US ambassador to the USSR, or Germans and Americans (allegedly) manipulating Crypto AG cipher devices in Operation Rubicon.

[Read more…]

From intelligence to threat detection

2 de August de 2023 Por

Threat detection is largely based on indicators of compromise. These indicators are observables that we identify during the management of an incident or during an investigation, that we receive from third parties in the form of intelligence feeds, that we download from platforms such as MISP, that we share among working groups… in short, we discover them or they discover them. But where do these indicators come from? In one way or another, indicators, a fundamental part of the characterisation of a threat (actor, operation…), come from intelligence analysis. In this article, we will discuss the path from intelligence gathering to the generation of indicators of compromise to detect a threat. This path is summarised in the figure below:

We all know that the various intelligence disciplines play a fundamental role in detecting threats in cyberspace. In this cyber domain, each of these disciplines (simplified SIGINT, MASINT, HUMINT, OSINT and GEOINT) has a specific weight and value, and forms the basis of what we call cyber intelligence. For example, the role of signals intelligence tends to be much more important than that of geospatial intelligence, and human sources contribute much less intelligence than signals, but much more value if well managed.

read more

Exploiting APT data for fun and (no) profit (IV): conclusions

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Now you have some tips, evidence-based, for your APT talks (don’t forget to use these tips together with Sun Tzu’s “Art of War” quotes); with some more time, you can get to more stupid or interesting conclusions about threat groups activities, interests and origins. And exploiting other datasets (MITRE ATT&CK, here we go!) We can expand those conclusions.

Some key data we can conclude after this little analysis of data:

  • It seems clear that Russia plays in the APT Champions League. It’s the most active country in all kind of threat activities, from sabotage to espionage or financial gain.
  • The threat group leader is also a Russian one: Turla, operating from almost a quarter century -in this case we can confirm it’s still active- and with targets from a long list of countries and sectors.
  • The most loved by analysts threat group is also a Russian one: APT28. Maybe for this reason is the threat group with more synonyms.
  • The number of threat actors with CNA capabilities has increased during last years, once again with Russia leading the ranking.
  • Apart from classical players, two actors have been particularly actives in the last years: Iran and North Korea.
  • It should be interesting to identify a parameter for threat groups, something like “last time seen”, in order to calculate the years a group has been active.
  • Using different, vendor-dependent names, for the same threat actor is a little chaos when analyzing data. In this sense, a good effort is MISP’s UUID for each group (https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json#L2434), as @adulau noted.
  • With some imagination and gnuplot you can have your own APT Magic Quadrant for marketing purposes.
  • Disclaimer: this is just a simple blog post, not a scientific paper, so don’t expect non questionable sentences here!
  • And the most important conclusion: AWK is your friend. Remember:

Exploiting APT data for fun and (no) profit (III): (not so) simple analysis

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have answered some silly & simple questions, it’s time to wonder more complex ones, so let’s imagine…

Are CNA threat actors increasing their activities during last years?

In the simple questions, we have concluded that sabotage and destruction motivations are not the most common among threat groups. But we are interested in these ones. Let’s see them among time:

for i in `grep "Sabotage and destruction" [0-9]*.txt|awk -F: '{print $1}'`; do grep \"meta\",\"date\"\] $i|awk '{print $2}'|sed 's/\"//g';done|awk '{a[$0]++}END{for(k in a){print k,a[k]}}’ >years.cna

Plotting the results, we have:

gnuplot> set boxwidth 0.5

gnuplot> set boxwidth 0.5

gnuplot> set xtics 1

gnuplot> set ytics 1

gnuplot> set yrange [0:5]

gnuplot> plot 'years.cna' with boxes

Since 2012, the number of these threat actors has increased significantly: 9 out of 14 groups in the last eight years, so we can say it’s a growing trend. Out of curiosity , the oldest group with CNA capabilities is dated in 2001. Can you guess its name? Yeah… Equation Group.

[Read more…]

Exploiting APT data for fun and (no) profit (II): simple analysis

4 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

Once we have processed the gathered information we can start our analysis trying to ask the silly and simple questions that many times we wonder. Let’s go. 

Which are the groups with more synonyms?

The silliest question I always wonder is why we use so many names for the same actor. Which one is the group with more names? Let’s see:

$ for i in [0-9]*.txt; do c=`grep synonyms\", $i|grep -vi operation|wc -l `; echo $c $i;done |sort -n|tail -1

18 233.txt

$

The result is “233.txt”, which corresponds to APT 28, with 18 synonyms; the second one in the ranking, with 16 names, is Turla. Casually, both of them are from Russia (we’ll see later some curiosities about Russia).

Apart from that, a personal opinion: 18 names for the same group! Definitely, once again, we need a standard for threat actor names. This can be your first sentence when giving a talk about APT: where is an ISO committee when it’s needed?

Which groups are from my country?

Well, outside well known actors… how many groups are from my country? Spanish ISO 3166-1 country code is ES, so let’s look for Spanish threat actors with a simple command, as well as threat actors from other relevant countries

$ grep \"country\" [0-9]*.txt|grep -w ES

$ grep \"country\" [0-9]*.txt|grep -w DE

$ grep \"country\" *.txt|grep -w IL

183.txt:["values",183,"meta","country"]	“US,IL"

$

No identified groups from Spain… well, I’m sure this has a technical explanation: Spanish groups are so stealth that they are difficult to discover, and their OPSEC is so strong that, in case of being discovered, attribution is impossible. For sure! But what about Germany? Where is your Project Rahab now? And what about Israel, with only a sad starring together with US? Yes, it’s Stuxnet, but only a single starring… I hope you are as good as Spanish groups: nobody can discover you, and attribution is impossible :) Another sentence for your APT talks: in the group of most stealth countries we can find Germany, Israel… or Spain.

[Read more…]

Exploiting APT data for fun and (no) profit (I): acquisition and processing

1 de December de 2020 Por
Post of the serie “Exploiting APT data for fun and (no) profit”:
=> I: acquisition and processing
=> II: simple analysis
=> III: not so simple analysis
=> IV: conclusions

When attending to talks about APT -or when giving them- sometimes you hear sentences like “most threat actors are focused on information theft” or “Russia is one of the most active actors in APT landscape”. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data… you can use from now in your APT talks!! :)

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia” and they have an online portal (https://apt.thaicert.or.th/cgi-bin/aptgroups.cgi) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools…). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020).

But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:

$ curl -o out.json https://apt.thaicert.or.th/cgi-bin/getmisp.cgi?o=g
[Read more…]

IOCs are dead, long live IOCs!

28 de September de 2020 Por

An Indicator of Compromise (IOC) is defined as a piece of information that can be used to identify the potential compromise of an environment: from a simple IP address to a set of tactics, techniques and procedures used by an attacker in a campaign. Although when we speak of IOC we always tend to think of indicators such as IP or domains, the concept goes beyond this, and depending on their granularity, we can find three types of indicators:

  • Atomic indicators: those that cannot be broken down into smaller parts without losing their usefulness, such as an IP address or domain name.
  • Calculated indicators: those derived from data involved in an incident, such as a hash of a file.
  • Behavioral indicators: those that, from the treatment of the previous ones, allow the representation of the behavior of an attacker, his tactics, techniques and procedures (TTP).
[Read more…]

CNA Tactics: a first proposal

25 de February de 2020 Por

(Editor’s note: this post was originally published in the Spanish version of Security Art Work on 11th November 2019)

Today we have a doctrinal and somewhat metaphysical article… I.e., something dense. Be warned :)

Within CNO (Computer Network Operations) we find three types of capabilities or actions: CND, CNA and CNE (Defense, Attack and Exploitation respectively).

While CND obviously deals with the defense of technological environments against attacks also technological —not against a missile that hits a Datacenter—, CNE operations and capabilities focus on the acquisition and exploitation of information through networks and computers: what we currently call cyberspying. For its part, CNA, Computer Network Attack, refers to what is often identified with purely destructive operations (the famous “4D”: disrupt, deny, degrade and destroy).

Any actor that executes CNO operations develops TTP (Tactics, Techniques and Procedures) to achieve its objectives; without going into the more formal definitions of the US military literature, tactics specify what an actor does, techniques specify how a tactic is implemented and procedures define a particular implementation —depending even on the person who applies them— of that tactic; this approach, from the higher level to a more operational level, models the behaviour of an actor, something similar to what is usually called its modus operandi.

[Read more…]