Network Security

GRU-backed cyberattacks: What they are, how to defend against them

The most notorious cyber-attack groups are those backed by the Russian GRU. For those who are unfamiliar, the GRU is the Main Directorate of the General Staff of the Armed Forces of the Russian Federation. These threat actors have been active for some time, including the attacks against the Democratic National Committee, the 2016 presidential campaign, a U.S. nuclear facility, an international chemical weapons non-proliferation organization, and many others.

In 2018, five GRU officers were indicted as being part of activities associated with APT28. The U.S. Department of State recently floated a $10 million reward for anyone with knowledge that leads to the "identification or location" of six Russian GRU officers.

While most enterprises don’t consider themselves targets of such advanced threat actors, this would be a serious mis-assessment. Any company that works within any of the critical infrastructure industries, which include sectors such as healthcare, energy, and financial services, are at risk. Additionally, these advanced threat actors publicly release some of their advanced cyber munitions, enabling everyday cyber criminals to easily take advantage and integrate them within their own campaigns.

CISA’s warnings about Russia

According to an advisory issued by theCybersecurity and Infrastructure Security Agency (CISA) and similar agencies from many other nations, Russian state-sponsored threat actors have shown themselves to be quite capable of breaching networks and gaining persistence on those networks, in addition to stealing data and disrupting operations when there.

“Historical operations have included deployment of destructive malware—including BlackEnergy and NotPetya—against Ukrainian government and critical infrastructure organizations. Recent Russian state-sponsored cyber operations have included DDoS attacks against Ukrainian organizations,” CISA’s advisory said.

According to CISA, the threat actors following the GRU include:

  • The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
  • Russian Foreign Intelligence Service (SVR)
  • Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
  • GRU’s Main Center for Special Technologies (GTsST)
  • Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)

GTsSS, also known as Unit 26165, has operating since at least 2004, according to CISA.

This means that they’ve gathered information on their targets following years of reconnaissance and either have a presence in these sites, or they know how to build a presence fast. These groups also have spent years gathering information on executives, technical leaders and administrators, and others within targeted organizations. We should also know that these groups spent a considerable number of resources finding zero days in the software these companies use and the software supply chain, typically open source, that much of the modern software ecosystem is built upon.

Mounting a defense

Any organization that hopes to successfully defend itself against threat actors such as those backed by the GRU need to master security basics, from vulnerability and attack surface management to effective identity management and governance through effective detection, defense, and response. Good frameworks to model the security program against include the NIST Cybersecurity Framework, the Center for Internet Security Controls, the Cloud Security Alliance Cloud Controls Matrix, and many others.

Mature programs that are modeled after such frameworks should be well defended against many adversaries, but the reality is that skilled adversaries will likely find a way through. For effective defense against such adversaries, additional attention needs to be focused on zero-day attack identification and incident response. This will typically demand good intrusion detection and response ability, malware detection and containment, network traffic analysis, and good threat intelligence.

One example is VMware’s NSX Distributed Firewall, which provides effective network detection and response capabilities  as determined by its Triple A rating from SE Labs. It’s functionality, such as segmentation/micro-segmentation, and signature and behavioral-based IDS/IPS, as well as network sandboxing, network traffic analysis, and network event correlation, help place enterprise security professionals in a better position to respond to advanced nation-state backed threats.

With the skills nation state backed attackers have, it’s a near certainty that the best planned defenses will be bypassed, enabling the advanced threat actors to begin employing their tradecraft within the organization’s IT environment. Once inside, they will do what most attackers do, but only with great skills, tools, and exploits needed to do so clandestinely.

VMware can help protect modern IT environments against APTs due to the security platform’s ability to cost-effectively secure east-west traffic. With VMware’s ATP offerings for the NSX Distributed Firewall, enterprises can provide themselves persistent observability, defense, and response against APT and nation-state backed attackers, such as those aligned with the GRU.

In fact, VMWare NSX helps to automate and operationalize many facets of defense, so enterprises remain on the best security footing possible. VMware NSX Intelligence provides dynamic firewall security policy settings based on the actual observed traffic patterns seen between networked assets, which helps operators, security and infrastructure teams to microsegment their internal traffic and drastically reduce the internal addressable attack surface.

Defending one’s IT environment against advanced threat actors is hard work, but with the right tools, framework, and determination to build a mature security program, it can be done.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.