CyberUK 23: Alert over mercenary Russian threat to CNI

On the opening morning of its CyberUK conference in Belfast, the UK’s National Cyber Security Centre (NCSC) has issued an alert to operators of critical national infrastructure (CNI) across the UK, concerning the growing threat from, and impact of, cyber attacks originating from ideologically driven Russian threat actors or hacktivists.

Historically, attacks on CNI were more usually attributable to state-backed advanced persistent threat groups operating either at the behest of Russian intelligence agencies such as in the SolarWinds Sunburst incident, or financially motivated cyber criminal ransomware gangs, such as in the Colonial Pipeline incident.

However, over the past 18 months, a “new class” of Russian cyber adversary has emerged, said the NCSC: state-aligned groups that are not directly controlled by the Kremlin and are ideologically, rather than financially, motivated.

Their independence from central oversight makes them particularly dangerous as their actions are less constrained and their targeting somewhat broader.

Oliver Dowden, chancellor of the Duchy of Lancaster, who spoke at CyberUK today, described these activities as “Wagner-like”, a reference to the Wagner Group, a private mercenary army operating with the blessing of Vladimir Putin, which has been behind some of Russia’s worst atrocities in Ukraine.

“Disclosing this threat is not something we do lightly,” he said. “But we believe it is necessary … if we want these companies to understand the current risk they face, and take action to defend themselves and the country.

“These are the companies in charge of keeping our country running,” Dowden added. “Our shared prosperity depends on them taking their own security seriously. A bricks-and-mortar business wouldn’t survive if it left the back door open to criminals every night. Equally in today’s world, businesses can’t afford … to leave their digital back door open to cyber crooks and hackers.”

The NCSC said that up to now, the cyber activity of such groups has focused on distributed denial-of-service attacks, website defacements, and the spread of misinformation and propaganda, and that more of them have begun to talk about achieving a more disruptive and destructive impact, and it is likely they will look for opportunities to do so.

It said that without external assistance it was probably unlikely they currently have the capability to cause a destructive attack, but it was certainly possible that their methods could become more effective as time goes by.

The NCSC is recommending that CNI operators refamiliarise themselves with previous guidance on actions to take during periods of heightened cyber threat, and implement the measures contained therein, as well as follow its advice on secure system administration. Its Cyber Assessment Framework may also prove particularly helpful in this case.

The government, meanwhile, is expected to introduce measures imminently to bolster its ability to hold CNI operators to account over their cyber security arrangements, setting tougher resilience targets and working on plans to bring private sector operators of CNI in the scope of wider resilience regulation.