UK names Russian FSB agents behind political hacking campaign

The government has confirmed that Russia’s Federal Security Service (FSB) is behind a long-running  hacking campaign that targeted politicians, civil servants, journalists and civil society organisations.

The Russian campaign targeted high-profile individuals with phishing emails in an attempt to obtain information to interfere with UK politics and the democratic process.

The hacking group, known as Star Blizzard or Seaborgium, has targeted politicians from multiple political parties from 2015 onwards.

The group was also responsible for leaking UK-US trade documents leaked ahead of the 2019 general election.

The Foreign Secretary David Cameron said that the UK wanted to expose Russia’s “malign attempts” to influence British politics.

“Russia’s attempts to interfere in UK politics are completely unacceptable and seek to threaten our democratic processes. Despite their repeated efforts they have failed,” he said.

Foreign Office Minister Leo Docherty told the House of Commons that Russia's ambassador had been summoned and two Russians including an FSB agent faced financial sanctions.

His comments came as the US State Department offered a reward of up to $10 million for information on members of the hacking group.

Unit 18

Computer Weekly  identified the hacking group, which is known as Callisto, ColdRiver, Tag-53, TA446 and BlueCharlie, as an FSB operation in a report last year.

An assessment by the UK’s National Cybersecurity Centre, part of GCHQ confirmed today that Star Blizzard “almost certainly” conducted cyber-attacks under the direction of the FSB’s Unit 18, which specialises in cyber espionage.

The group chooses its targets selectively and engages in thorough research and preparation, including research on social media and networking services, Docherty told the Commons.

They create false identities to approach their targets, make believable approaches and built up a rapport before delivering a malicious link to a document or a web site that would interest their target. The group predominantly targets personal email addresses.

Computer Weekly has previously reported that its victims include the former head of MI6, Richard Dearlove, after the Russian hacking group gained access to his encrypted email account.

The hacking group subsequently published 22,000 emails and documents from Dearlove and a network of 60 hard Brexit campaigners, in apparent retaliation for Boris Johnson’s support of Ukraine.

Left wing Freelance journalist, Paul Mason, who has frequently criticised Putin’s war against Ukraine was also targeted by the group and his emails leaked to the Greyzone, a pro-Russian publication in the US.

In February 2023, Scottish National Party MP Stewart McDonald disclosed that his emails had been hacked by the Russian hacking group. Other MPs have also been targeted.

Russians sanctioned

The government placed two Russian nationals on the financial sanctions list, following an investigation by the National Crime Agency in to the group’s hacking operation against the Institute for Statecraft, an NGO involved in initiatives against disinformation.

Star Blizzard compromised the Institute of Statecraft in 2018 and its founder’s email account in 2021 and leaked documents from both hacking operations.

Andrey Stanislavovich Korinets, and FSB agent Ruslan Aleksandrovich Peretyatko, were accused of being involved the preparation of spear-phishing campaigns and accessing and exfiltrating sensitive data, following an investigation into the hack.

“This action undermined, or was intended to undermine, the integrity, prosperity and security of UK organisations and more broadly the UK government,” according to a sanctions document published today.

Extensive analysis

Speaking in the Commons, Docherty said that that the government’s assessment of the perpetrators of the hacking operation was based on extensive analysis from the UK intelligence community, supported by international partners.

He said that the government had identified attempts to target people in parliament and said that  National Cyber Security Centre and the parliamentary authorities were providing enhanced security to MPs.

“The targeting of this group is not limited to politicians but public facing figures and institutions of all types. We have seen impersonation and attempt to compromise email accounts from across the public sector, universities, media, NGOs and wider civil society,” he said.

“Russia has a long established track record of reckless indiscriminate and destabilizing malicious cyber activity with impact felt all over the world,” he added.

He said that the UK and Five Eyes intelligence partners had uncovered numerous instances of Russian intelligence targeting critical national infrastructure, and had exposed cyber espionage tools aimed at sensitive targets.

The National Cyber Security issued an advisory notice on Star Blizzard on the techniques used by the group and countermeasures.