lolloj - Fotolia
The UK and its allies have accused Russia’s military intelligence service, the GRU, of targeting political, business, media and sporting institutions in coordinated cyber attacks between 2015 and 2018.
The move comes after prime minister Theresa May said in Parliament on 5 September that the UK will work with its allies to shine a light on the activities of the GRU and expose its methods.
The UK’s National Cyber Security Centre (NCSC) has identified that a number of cyber actors widely known to have been conducting cyber attacks around the world to undermine international law and institutions are, in fact, the GRU.
The cyber attack campaigns linked to the GRU, and consequently to the Russian government, include APT 28, Fancy Bear, Sofacy, Pawnstorm, Sedni, CyberCaliphate, BlackEnergy, Strontium and more.
The NCSC has issued an advisory outlining some of the attack tools used by the GRU cyber operations and indicators of compromise to help organisations identify if they have been targeted and defend against future attacks.
“These attacks have been conducted in flagrant violation of international law, have affected citizens in a large number of countries, including Russia, and have cost national economies millions of pounds,” the Home Office said in a statement.
The NCSC found that cyber attacks orchestrated by the GRU have included attempts to undermine the World Anti-Doping Agency (WADA), disrupt transport systems in Ukraine, and destabilise democracies and target businesses.
A coordinated statement by Australian prime minister Scott Morrison and foreign affairs minister Marise Payne placed the blame on Russia for the October 2017 BadRabbit ransomware attack that hit Russia, Ukraine, Germany and Turkey, as well as hacking the US Democratic National Committee in 2016.
The UK foreign secretary, Jeremy Hunt, said the cyber attacks served no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens,” he said. “This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.
“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.
“Today, the UK and its allies are once again united in demonstrating that the international community will stand up against irresponsible cyber attacks by other governments and that we will work together to respond to them. The British government will continue to do whatever is necessary to keep our people safe.”
Rules-based international order
Australia said the rule of law applies online just as it does offline, and it would protect the “rules-based international order”.
The statement added: “Cyber space is not the Wild West. The International Community – including Russia – has agreed that international law and norms of responsible state behaviour apply in cyber space. By embarking on a pattern of malicious cyber behaviour, Russia has shown a total disregard for the agreements it helped to negotiate.”
Statements by the UK and its allies about the GRU's cyber activities coincided with revelations by security services in the Netherlands that they expelled four Russians over a cyber attack plot targeting the global chemical weapons watchdog.
The operation, also by the GRU, allegedly targeted the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague in April, according to BBC news. The OPCW has been probing the chemical attack on former Russian spy Sergei Skripal in the UK.
In February, the UK and its allies blamed Russia for the NotPetya global malware attacks. At the time, UK foreign office minister Tariq Ahmad said: “The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe, costing hundreds of millions of pounds.
“The Kremlin has positioned Russia in direct opposition to the West, yet it doesn’t have to be that way. We call on Russia to be the responsible member of the international community it claims to be, rather than secretly trying to undermine it.
“The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyber space.”
Bill Conner, CEO of security firm SonicWall, said the cyber landscape, with its non-existent borders and limitless boundaries, is forcing allies to work together in new ways.
“Today’s announcement by the UK government highlights a growing need for public and private sectors around the world to work together to detect, defend and dissipate the rising volume and ferocity of cyber attacks,” he said.
“Countries and organisations alike must prioritise the protection of their critical infrastructure, elections, energy supply chains, intellectual property and financial systems from those seeking to exploit them in this cyber arms race.”
Businesses need to do more
British businesses need to do more to defend themselves against state-sponsored cyber attacks, said Tom Kellermann, chief cyber security officer at Carbon Black.
“We found in our recent UK Threat Report that UK companies are particularly vulnerable to attack, with 92% reporting being breached,” he said. “Cyber attacks are becoming more frequent and more sophisticated, as nation state actors and crime syndicates continue to use elegant tactics like leveraging fileless attacks, lateral movement, island hopping and counter incident response in an effort to remain undetected,” he said.
Kellerman said the recent funding announcement by the Ministry of Defence and call for a 2,000-person strong cyber capability is a step in the right direction.
“However, this capability will still largely leave companies vulnerable to attack and they will need to contend with the current threatscape,” he said. “Organisations need to follow suit on funding and building the correct capabilities to counter the increasing threat.
“This means organisations’ defensive toolsets, processes and operations must change. Now is the time to mobilise the hunt. Decreasing the dwell time of hackers must become a national imperative.”