This is a reserve paper. Should it not be required to replace a paper on the main programme, it will be presented in the Small Talks room on Friday 26 September.
Alexander (Oleksandr) Adamov (NioGuard, BTH, NURE)
WhisperGate is a destructive malware campaign executed on 13 January 2022 against the government infrastructure of Ukraine. It was attributed to the Russian state-sponsored threat actor linked explicitly to the Ember Bear group by CrowdStrike on 30 March 2022 [1] and to Cadet Blizzard by Microsoft in April 2022 [2]. It was associated with Russia's Main Intelligence Directorate of the General Staff (GRU). These APT group(s) have never been seen before, and it was unclear which GRU unit this campaign was associated with. ESET, in its turn, attributed the majority of wiper attacks against Ukraine in 2022 to Sandworm, another GRU-associated APT group (Unit 74455) [3], "with varying degrees of confidence" [4].
Only two years later, in September 2024, Maryland's Grand Jury unsealed a superseding indictment [5] against five members of GRU's Unit 29155 (a.k.a. Ember Bear) and one previously charged, in June 2024, Russian civilian Amin Stigal [6] for a cyber operation called WhisperGate [7] against the Ukrainian Government services and its allies in the US and Europe – at least 26 NATO countries. It was the first time GRU's Unit 29155 was mentioned as a cyber actor.
According to Bellingcat [8], this unit is famous for its assassination and sabotage operations abroad rather than cyberattacks such as the Salisbury Poisonings – a failed assassination attempt on Sergei Skripal, a former Russian military officer and double agent for British intelligence, using a nerve agent. The attack, which also poisoned his daughter Yulia, took place in Salisbury, England, on 4 March 2018. [9]
Now that WhisperGate's attribution is well-established, we can retrospectively apply and compare different attribution approaches – manual analysis, traditional supervised machine learning classification, and LLM-powered attribution – to evaluate their effectiveness and determine which categories of Indicators of Compromise (IoCs) have the most significant impact on correct attribution decisions.
[1] https://www.crowdstrike.com/blog/who-is-ember-bear/
[2] https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
[3] https://attack.mitre.org/groups/G0034/
[4] https://www.welivesecurity.com/2023/02/24/year-wiper-attacks-ukraine/
[5] https://www.justice.gov/opa/pr/five-russian-gru-officers-and-one-civilian-charged-conspiring-hack-ukrainian-government
[6] https://thehackernews.com/2024/06/russian-national-indicted-for-cyber.html
[7] https://www.nioguard.com/2022/01/analysis-of-whispergate.html
[8] https://www.bellingcat.com/news/uk-and-europe/2021/04/26/how-gru-sabotage-and-assassination-operations-in-czechia-and-bulgaria-sought-to-undermine-ukraine/
[9] https://en.wikipedia.org/wiki/Poisoning_of_Sergei_and_Yulia_Skripal
![]() |
Alexander Adamov Dr Alexander (Oleksandr) Adamov is the Founder and CEO of NioGuard Security Lab (nioguard.com), a cybersecurity research laboratory. With over 20 years of experience in cyber attack analysis, gained through his work in the antivirus industry, he has taught cybersecurity at the universities of Ukraine (nure.ua) and Sweden (bth.se) for the last 15 years. His laboratory focuses on applying AI and machine learning to solve cybersecurity problems. NioGuard Security Lab is a member of the Anti-Malware Testing Standards Organization (AMTSO). Dr Adamov regularly speaks at major cybersecurity events, including the Virus Bulletin Conference, OpenStack Summit, UISGCON, OWASP and BSides. |
Back to VB2025 conference page