Russian GRU agents behind several reckless cyber attacks: NCSC
4 October 2018
The National Cyber Security Centre said today that it has evidence to prove that Russia’s premier military intelligence agency GRU was behind a large number of “indiscriminate and reckless cyber attacks” on political institutions, businesses, media, and sports organisations.
These cyber attacks were carried out by GRU agents in flagrant violation of international law, affected citizens and organisations in a large number of countries, and cost national economies millions of pounds. A number of these cyber attacks targeted the World Anti-Doping Agency (WADA), political institutions to destabilise democracies, and businesses to disrupt economic progress.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability,” said Foreign Secretary Jeremy Hunt.
GRU supporting almost all major Russian hacker groups
The NCSC announced that a number of well-known Russian hacker groups that have caused mayhem across the world in the past few years are composed of GRU agents and are therefore, actively supported by the Russian government. These hacker groups include APT 28, Fancy Bear, Sofacy, Pawnstorm, STRONTIUM, Sandworm, Sednit, CyberCaliphate, Voodoo Bear, Cyber Berkut, and BlackEnergy Actors.
The NCSC added that it can state with “almost certainty” that GRU agents were behind the BadRabbit Ransomware that caused operational disruptions in Ukrainian and Russian organisations such as Kyiv metro, Odessa airport and Russia’s central bank, the cyber-attack on WADA’s Anti-Doping Administration and Management system in 2017, the cyber-atttack on the U.S. Democratic National Committee in 2016, and the theft of multiple email accounts of a small UK-based TV station between July and August 2015.
The cyber security watchdog added that it can state with “high confidence” that GRU agents were also behind the destructive cyber attack in 2017 that targeted the Ukrainian financial, energy and government sectors but spread further affecting other European and Russian businesses.
It added that Russian state-sponsored actors were also behind the spread of the VPNFILTER malware that “infected thousands of home and small business routers and network devices worldwide. The infection potentially allowed attackers to control infected devices, render them inoperable and intercept or block network traffic”.
Commenting on the NCSC’s announcement, Malcolm Taylor, Director Cyber Advisory at ITC Secure and a former senior British Intelligence Officer, told TEISS that it is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources.
He added that it’s also important to consider who benefits from attacks against these specific targets – WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber espionage and we all need to take appropriate steps to manage that risk.
GRU agents were also behind the Salisbury incident
This isn’t the first time that UK government officials or agencies have implicated GRU agents for carrying out cyber attacks and other actions in violation of international laws. Last month, speaking at the Billington Cybersecurity Conference in Washington, Jeremy Fleming, the director of GCHQ, said that GRU agents were behind the nerve agent attack on Sergei and Yulia Skripal in Salisbury and the subsequent tragic poisonings in Amesbury.
“It’s worth remembering that this is the first time we’re seeing a nerve agent used in Europe since World War 2. That’s really sobering. It demonstrates just how reckless the Russian state is prepared to be. But as the Prime Minister said yesterday, we will not tolerate such barbaric acts against our country.
“Since March, the police, with the support of the intelligence community, have led a painstaking and highly complicated investigation into what happened in Wiltshire. We’ve ascertained who exactly was responsible and the methods they used. And as you’d expect, teams from across GCHQ worked tirelessly with partners at home and abroad to ensure that our world-class intelligence was informed about the incident and yesterday, I was pleased to see two GRU operatives were named and arrest warrants issued.
“The threat from Russia is real and it’s active and it will be countered by a strong international partnership of allies able to deploy the full range of tools from across our national security apparatus and ready to reject the Kremlin’s brazen determination to undermine the international rules-based order,” he said.