UK and US accuse Russian spooks of Georgia cyber attacks

The UK and US governments have pinned a series of large-scale and highly disruptive cyber attacks against targets in Georgia – including web hosting providers, government bodies, courts, non-governmental organisations (NGOs), media organisations and private sector businesses – on Russia’s military intelligence service, the GRU.

The Foreign Office said the National Cyber Security Centre (NCSC) had assessed to a high degree of probability (over 95%) that the GRU was responsible for the 2019 attacks, which formed part of a long-running campaign of hostile and destabilising activity conducted by Russia against Georgia in recent years.

The two countries fought a brief war in August 2008 over the Russia-backed separatist republics of Abkhazia and South Ossetia, which are internationally recognised as part of Georgia.

The Foreign Office said the UK was clear that the GRU had conducted cyber attacks as part of an attempt to undermine Georgia’s sovereignty, sow discord, and disrupt day-to-day life, and reaffirmed the UK’s support for Georgia’s sovereignty and territorial integrity.

“The GRU’s reckless and brazen campaign of cyber attacks against Georgia – a sovereign and independent nation – is totally unacceptable,” said foreign secretary Dominic Raab.

“The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries or become a responsible partner which respects international law.

“The UK will continue to expose those who conduct reckless cyber attacks and work with our allies to counter the GRU’s menacing behaviour.”

US secretary of state Mike Pompeo said: “This action contradicts Russia’s attempts to claim it is a responsible actor in cyber space and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity and undermine democratic institutions.

“The United States calls on Russia to cease this behaviour in Georgia and elsewhere. The stability of cyber space depends on the responsible behaviour of nations.

“We, together with the international community, will continue our efforts to uphold an international framework of responsible state behaviour in cyber space.”

The NCSC said the group responsible for the attacks was run by the GRU’s Main Centre of Special Technologies (GSsST), and goes by various names, including Sandworm, BlackEnergy Group, Telebots and VoodooBear.

The group often works in support of Russia’s ongoing campaign against Ukraine, and among some of its higher-profile actions were two different attacks in December 2015 and December 2016 against Ukraine’s electricity grid and the autumn 2017 BadRabbit ransomware attack against targets in Ukraine and elsewhere.

The group is arguably most infamous for the highly destructive NotPetya attacks in June 2017, which at first also targeted Ukrainian organisations but spilled over to attack companies around the world, perhaps most notably Danish shipping giant AP Moller-Maersk, which incurred costs of more than £200m as a result.

The same unit is also strongly suspected of operating the Fancy Bear – also known as APT28 or Strontium – hacking group, which was behind attacks on the World Anti-Doping Agency (Wada) that saw the medical data of athletes leaked, and on the US Democratic National Committee (DNC), which ultimately saw confidential documents make their way into the hands of WikiLeaks.

Mike Beck, global head of threat analysis at Darktrace, said: “The UK security services’ concerns are right on the money – but this is about even more than destabilising government. Geopolitical tensions are spiralling out into cyber space and we are seeing an escalation in politically motivated attacks that seek mass disruption.

“In the past, if nation states and cyber criminals wanted to make a point, they would go after other nation states. Now they go after everything else too – from mainstream media to charities and private companies. Nation states are stress-testing organisations at scale and sniffing around for vulnerabilities. It turns out that almost all systems are vulnerable.”

Beck added: “The threat from cyber warfare will be an ongoing challenge for every single modern organisation around the world.”