On September 5, 2024, CISA together with the FBI, NSA, and international partners published a joint advisory that shifts the operational conversation for defenders. The product attributes sustained computer network operations against critical infrastructure to cyber actors affiliated with the Russian General Staff Main Intelligence Directorate, specifically Unit 29155, and publishes TTPs and IOCs for immediate use by network defenders.
The advisory ties Unit 29155 cyber activity to destructive and espionage-focused campaigns that date back to at least 2020, including the deployment of the WhisperGate data wiper in Ukraine. That attribution is reinforced by related Department of Justice actions which unsealed indictments and charged individuals tied to GRU cyber operations. Together, the reporting makes clear these are not isolated criminal nuisances. They are state-directed campaigns with both intelligence and sabotage objectives.
Technically, the advisory is practical and mapped to the MITRE ATT&CK framework so security teams can test controls against real tradecraft. The document catalogs common footholds and escalation techniques, and demonstrates how initial access is frequently achieved through phishing, exploitation of exposed services, and abuse of legitimate cloud infrastructure and tooling. The agencies also note reliance on non-GRU actors and criminal enablers to extend reach and operational scale. These are canonical nation-state behaviors masquerading as criminal opportunism.
The operational picture reported by U.S. and allied partners shows two concurrent risks. First, scanning and reconnaissance against logistics, industrial, and public sector targets can precede espionage that shapes kinetic operations. Second, destructive malware and data-wiping campaigns are a real sabotage threat to availability of services. Reporting from defense and press outlets indicates the actors probed infrastructure both abroad and within U.S.-connected systems prior to and during larger campaigns, underscoring why early detection matters.
CISA and partners do not leave readers without concrete mitigations. The advisory recommends hardening steps that every defender should prioritize now: enforce multi factor authentication, accelerate patching for internet-facing systems, deploy and tune endpoint detection and response, restrict use of administrative privileges, enable robust logging and centralized collection of telemetry, and validate backups are offline and recoverable. Critically, the guidance encourages organizations to map the advisory’s ATT&CK techniques to their security controls and then exercise those controls at scale.
For operational technology and industrial control system owners the risk model varies but the mitigations are familiar: segment OT from IT, remove or tightly control remote access, inventory and isolate internet-exposed control interfaces such as VNC, and impose strict change control and monitoring. The advisory’s emphasis on testing and validation applies strongly to OT environments where recovery complexity is higher and the safety stakes are kinetic as well as digital.
Beyond immediate defensive work, the DOJ indictments and public agency coordination reveal another layer: legal and diplomatic levers matter. Naming and charging operators constrains some behaviors and supports public-private information sharing. But indictments will not stop low-cost exploitation or opportunistic hacktivist actions. Defense must therefore be layered and forward leaning, combining hardening, continuous monitoring, threat hunting, and resilient recovery planning.
If you run security for a critical infrastructure organization start with a three-step sprint. First, run an emergency exposure sweep for internet-facing services and known-vulnerable software and remediate the highest risk within 72 hours. Second, ensure MFA and privileged access controls are fully enforced and verify backup integrity offline. Third, map the ATT&CK techniques from the advisory to your detection rules and schedule tabletop exercises that simulate the TTPs described in the document. Organizations that treat this advisory as a checklist will be safer, but those that treat it as a playbook for adversary emulation will gain the most operational resilience.
This advisory is a timely warning. The combination of state-directed intent, available destructive tooling, and a willingness to leverage criminal partners increases both the frequency and severity of risks to critical infrastructure. Treat the guidance as an urgent set of actions, not optional best practices. If defenders do not adapt, the gap between cyber and kinetic effects will continue to narrow and the consequences for public safety will grow.