Russian GRU Unit 29155 is best known for its long list of murder and sabotage ops, which include the Salisbury poisonings in England, arms depot explosions in Czechia, and an attempted coup d’etat in Montenegro. But its activities in cyberspace remained in the shadows — until now. After reviewing a trove of hidden data, The Insider can report that the Kremlin's most notorious black ops squad also fielded a team of hackers — one that attempted to destabilize Ukraine in the months before Russia's full-scale invasion.
xxx
The Fifth Service of Russia's domestic security agency, or FSB, is widely understood to have been the main Russian intelligence organ tasked with destabilizing Ukraine in advance of the February 2022 invasion. And indeed, on December 1, 2021, and January 25, 2022, there were reports that coup attempts — likely backed by Moscow — were in the works. Now, new evidence shows that GRU Unit 29155 was involved in similar efforts, pioneering tactics in Ukraine it is now employing on a much broader scale in its escalating “shadow war” against the West.
In August 2021, five months before Russia's full-scale invasion, Unit 29155’s hackers attempted to exacerbate a rift between Ukraine's nationalist groups and the Zelensky administration. Soldiers from many of Kyiv’s most effective units, which had been fighting off Russian forces in the Donbas since 2014, were less than enthusiastic about their president. In 2019, a visit by Zelensky to the front lines resulted in an on-camera argument between the head of state and members of the Azov Battalion. In 2021, Zelensky was still politically vulnerable to protest and pressure from nationalist elements in Ukraine, including those opposed to his campaign pledge to end the war in the east by making concessions to the Kremlin.
Adhering to the familiar formula of false-flag operations, Stigal recruited dozens of low-level assets to impersonate members of the Azov Battalion – one of Ukraine's best paramilitary outfits, but also a group that had faced scrutiny in the West over the right-wing tendencies of some of its members. He went further and engaged with at least two top commanders in Azov, impersonating a leader of the Chechen dissident Ichkeria organization, which is opposed to Chechnya's warlord-president Ramzan Kadyrov, and offering them an alliance against Zelensky. Duped by Stigal, at least one of the Azov commanders accepted the offer of help.
xxx
The hackers searched for vulnerabilities in government agencies and critical infrastructure sites in Uzbekistan, Georgia, Czechia, Slovakia, Estonia, Poland, Moldova, and Armenia, the Aegaeon logs show. Of the hundred or so known targets of Unit 29155, a third were in Czechia, where operatives from the same GRU unit blew up two Ministry of Defense-owned ammunition warehouses in Moravia in 2014. The majority of requests from the servers are from 2021 and 2022, after which the hacking either significantly decreased or Unit 29155 simply discarded the Aegaeon server in favor of others.
Among the phones that the hackers checked for call records and metadata were not only the objects of their professional interest, but those of acquaintances and relatives. One target was Zhana Barskaya, the mistress of Unit 29155 commander Andrey Averyanov. Judging by the phone numbers they were interested in, it is clear that the hackers were also avid readers of this publication.
When The Insider published a story in January of this year about Unit 29155 suborning Afghan couriers to pay Taliban militants to attack U.S. and coalition forces in Afghanistan, the hackers scanned the number of Ivan Senin, one of the directors of the bounty program, within 24 hours of the article's release.