UK says Russia’s GRU was behind a spate of chaotic cyber attacks between 2015 and 2017

The UK has directly accused Russia’s military intelligence agency, the GRU, of being behind a number of cyber attacks that took place between 2015 and 2017, calling them “indiscriminate and reckless” with a range of target types including political institutions, businesses, media and even sport.

It says the chaotic campaign of attacks by the GRU shows it is “working in secret to undermine international law and international institutions”.

The government has also identified 12 hacker group it believes the GRU to be associated with — including ‘Fancy Bear’, a group behind a string of cyber espionage attacks including the 2016 hack of the Democratic National Committee, which the government is also now directly linking to Russia’s military spy agency.

Of course it’s not the first time the Kremlin has been linked to politically motivated attacks (some of which haven’t even required actual hacking).

Nor is it the first time the GRU has been specifically linked to Fancy Bear. Cybersecurity firm Crowdstrike made the same link back in 2016 — with “high level confidence“.

But it’s a first for the UK government to make a link and public accusation of Russia for the attacks — likely intended to keep up geopolitical pressure on president Putin in the wake of the Sailsbury poisonings which it has also previously linked to two GRU agents. (The Kremlin later claimed the two were just tourists who happened to have been visiting the town on the same day as a former Russian double agent and his daughter were poisoned with a nerve agent.)

The UK’s National Cyber Security Center, which is a public-facing branch of the UK’s GCHQ spy agency, has published the latest cyber attack claims — writing that it has “identified that a number of cyber actors widely known to have been conducting cyber attacks around the world are, in fact, the GRU”.

“These attacks have been conducted in flagrant violation of international law, have affected citizens in a large number of countries, including Russia, and have cost national economies millions of pounds,” it adds.

The full list of hacker groups being linked to the Kremlin and “almost certainly” to the GRU — with what the NCSC calls “high confidence” — are:

  • APT 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • Tsar Team
  • Sandworm

The other cyber attacks the government has now also publicly attributed to the GRU include:

  • an October 2017 ransomware attack by BadRabbit, which encrypted hard drives and rendered IT inoperable — resulting in disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets
  • an August 2017 attack on the World Anti-Doping Agency in which confidential medical files relating to a number of international athletes were released
  • a phishing-based attack on an unnamed small UK-based TV station, which took place between July and August 2015, in which multiple email accounts were accessed and content stolen

The government also lists two attacks it says it had previously attributed to the GRU:

  • a June 2017 cyber attack that targeted the Ukrainian financial, energy and government sectors but which also spread to impact other European and Russian businesses
  • an October 2017 attack involving the VPNFILTER malware which infected thousands of home and small business routers and network devices worldwide. The NCSC notes that the infection “potentially allowed attackers to control infected devices, render them inoperable and intercept or block network traffic”

Commenting in a statement, foreign secretary Jeremy Hunt said:

These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.  This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.

At the time of writing the Russian Embassy’s UK Twitter account had not yet issued any trolling responses to the UK government.

Well, unless this is it…