NCSC exposes Russian cyber attacks on UK political processes

The UK’s National Cyber Security Centre (NCSC), working alongside international allies, has called out a series of sustained and, as-yet, unsuccessful attempts by Russian state-backed cyber actors to interfere in British politics and democratic processes, attributing the group responsible to Centre 18 of Russia’s Federal Security Service (FSB), the main successor agency to the Cold War KGB.

The NCSC, and its Five Eyes allies, had previously published an advisory on the group in question’s alleged activity in January 2023, but are now able to firmly attribute the campaign. They have designated the group Star Blizzard – although it has previously gone by many other names, including Cold River and Seaborgium.

Its activities have included the targeting of high-profile individuals spear phishing in a sustained campaign dating back almost a decade, the compromise of UK-US trade documents leaked before the 2019 General Election, and a cyber attack on the Institute for Statecraft anti-disinformation think tank and its founder.

Among some of its more prominent victims was a former MI6 chief who, as previously reported by Computer Weekly, saw his emails hacked and communications, including details of his involvement with a group of prominent individuals pushing for a hard Brexit, exposed.

It has also targeted universities, journalists, public sector bodies, non-governmental organisations (NGOs) and other civil society organisations.

Its ultimate aim is to selectively leak information obtained through cyber espionage and amplify its release in line with Russia’s geopolitical goals, or to undermine trust in UK politics.

“Defending our democratic processes is an absolute priority for the NCSC and we condemn any attempt which seeks to interfere or undermine our values,” said NCSC operations director Paul Chichester.

“Russia’s use of cyber operations to further its attempts at political interference is wholly unacceptable, and we are resolute in calling out this pattern of activity with our partners. Individuals and organisations which play an important role in our democracy must bolster their security and we urge them to follow the recommended steps in our guidance to help prevent compromises.”

The NCSC is today issuing revised guidance to help individuals at high risk of compromise put measures in place to protect their devices and online accounts, including taking steps to set up multifactor authentication (MFA), improve credential hygiene and install security updates to their devices.

James Babbage, National Crime Agency (NCA) director general for threats, said: “The sanctions announced today are the result of a lengthy and complex investigation by the NCA, demonstrating that hostile Russian cyber actors were behind repeated, targeted attacks designed to undermine the UK.

“This action sends a clear message to criminals targeting the UK wherever in the world they may be; we know who they are, they are not immune to our action, and we will not stop in our efforts to disrupt them,” he said. “Alongside our partners, we are determined to hold to account those who seek to threaten our national security and undermine democracy.”

Rafe Pilling of Secureworks’ Counter Threat Unit (CTU), which tracks Star Blizzard as Iron Frontier, said: “Cyber espionage has one aim: support intelligence gathering. That can be to assist domestic programs, advance political agendas or spread disinformation. Targeting MPs, NGOs, civil servants and journalists are directly aligned with these aims. Iron Frontier is directly affiliated with the FSB.

“The group has a masterful command of all the elements needed for a successful spear phishing attack, building trust with their victim to increase the chances of successfully stealing their credentials. Iron Frontier has honed its craft over the past eight years to become a sophisticated operator.”

Pilling said the group was particularly adept at playing a long game, taking its time to conduct reconnaissance and establishing convincing, multi-pronged spear phishing attacks that frequently employ fake social media accounts and other methods to build a direct personal rapport with its victims.

Its capabilities have so far been limited to open source phishing frameworks and offensive security tools, said Pilling, and its domain name and SSL certificate infrastructure is often observable due to the group’s regular use of hyphenated names using IT-related terms.