UK pins 'reckless campaign of cyber attacks' on Russian military intelligence
We know it was GRU
The UK government this morning pointed the finger at Russian military intelligence for a litany of cyber nasties.
In the bulletin, the UK government's National Cyber Security Centre (NCSC) declared that a range of attacks blamed on the Kremlin are actually the work of Russian military intelligence, GRU.
This comes in the wake of long-standing concerns that Russia was breaking international norms in cyberspace. The document, speaking for intelligence chiefs in the UK and its closest allies, has publicly blamed the Kremlin for hacking the US Democrat Party during the country's 2016 presidential election and much more.
GRU (not to be confused with the Despicable Me character) is "engaged in indiscriminate and reckless cyber attacks targeting political institutions, businesses, media and sport", the alert stated. It continued:
The National Cyber Security Centre (NCSC) has identified that a number of cyber actors widely known to have been conducting cyber attacks around the world are, in fact, the GRU...
Cyber attacks orchestrated by the GRU have attempted to undermine international sporting institution WADA, disrupt transport systems in Ukraine, destabilise democracies and target businesses.
This campaign by the GRU shows that it is working in secret to undermine international law and international institutions.
The UK and US governments previously blamed the Kremlin for the NotPetya and VPNFilter attacks, based on assessments by their respective intel agencies. The rap sheet was lengthened today when it blamed the country for the BadRabbit ransomware attack of October 2017, the hack on anti-doping agency WADA and the hack and leak of documents against the Democratic National Committee during the US presidential election campaign two years ago.
NCSC assessed with "high confidence that the GRU was almost certainly responsible" for all three attacks. The same level of confidence is attached to a "hack against email accounts belonging to a small (unnamed) UK-based TV station".
Following today’s exposure of past Russian cyber campaigns, we have published guidance to help mitigate against the tactics they use. This is technical advice for the network defender community https://t.co/d7oTom6jx5— NCSC UK (@NCSC) October 4, 2018
The finger pointing comes amid increased tension between the UK and Russia over the poisoning of Sergei Skripal in Salisbury, also blamed by the Brits on GRU operatives. American prosecutors have accused 12 suspected Russian spies of hacking Democrat and Hillary Clinton campaign officials. The suspects are all allegedly members of Unit 74455, a branch of GRU.
Foreign secretary Jeremy Hunt, whose ministerial responsibilities include GCHQ and NCSC, said: "The GRU's actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences."
Russian military hackers are known by numerous pseudonyms including APT28, Fancy Bear and CyberCaliphate – the guise under which it hacked French broadcaster TV5Monde back in April 2015. NCSC's alert was accompanied by the publication of a technical advisory on Indicators of Compromise for Malware used by APT28.
APT 28 has returned to covert intelligence gathering and adapted its tactics to stay more in the shadows. Its latest targets include a "well-known international organisation, military targets and governments in Europe, a government of a South American country, and an embassy belonging to an Eastern European country," according to new research from Symantec, released on Thursday.
The Russian hacking crew has begun experimenting with an esoteric UEFI (Unified Extensible Firmware Interface) rootkit called Lojax, as previously reported and based on research by security firm ESET.
Fancy Bear, which has also been studied by private security firms, has been active for at least 10 years and has chiefly targeted Western governments and other organisations in apparent furtherance of Russian foreign policy objectives. Its tactics have evolved over the years but there are some common themes (such as targeted phishing attacks) and tools.
Ollie Whitehouse, global chief technical officer at information assurance firm NCC Group, commented: "The techniques used by the GRU are varied, and their tradecraft is evolving. The main goal of the group is ultimately to use credentials gained through successful attacks to access sensitive information for a wide range of current and future applications, from data theft in the guise of emails and documents through to potential disruption." ®