UK accuses GRU of ‘reckless’ cyberattacks

The British government has accused Russia’s military intelligence unit GRU of being behind a series of “reckless” cyberattacks ordered by President Vladimir Putin’s Kremlin, from the 2016 hacking of the US Democratic National Committee to leaking the medical records of top athletes.

Background

Over the past decade, Russia has been accused of mounting a slew of significant cyber attacks against foreign nations to influence or disrupt political processes, sow discord or impact communications and businesses. Intelligence officials and cybersecurity experts believe these attacks - paired with propaganda - are designed to undermine democracy, disrupt operations, and achieve foreign policy goals.

In February, the US, UK and other nations accused Russia of launching the destructive NotPetya malware attacks in 2017 that focused on Ukraine and crippled firms worldwide. In January 2017, US intelligence agencies accused the Kremlin of interfering in the 2016 presidential election through a complex influence campaign that included cyberattacks to hurt Democratic presidential candidate Hillary Clinton’s campaign and sway the vote in Donald Trump’s favour. In April 2018, the US and Britain blamed Russia for cyberattacks targeting computer routers, firewalls and other networking equipment used by government agencies, critical infrastructure firms and businesses worldwide.

Moscow denies accusations that it carried out cyberattacks on the United States and other countries.

Relations between the UK and Russia have deteriorated following the March 4 nerve agent poisoning of Russian double agent Sergei Skripal and his daughter Yulia in the British city of Salisbury. Prime Minister Theresa May blamed Russia’s largest foreign intelligence agency, the GRU, for the attack. 

Formally named the Main Directorate of the General Staff of the Armed Forces, the GRU’s goal is to provide the president, Federal Assembly, the Russian government, minister of defence and armed forces chief with necessary intel to “make decisions in the political, economic, defence, scientific, technical and environmental fields.” It is also tasked with “ensuring conditions conducive to the successful implementation of the Russian Federation’s defence and security policy.”

Analysis

The UK and Australia said the Russian military intelligence unit is behind a fresh wave of high-profile cyberattacks. Britain’s National Cyber Security Centre (NCSC) concluded that the GRU is responsible for “indiscriminate and reckless” attacks targeting political institutions, businesses, media and sport across the globe. The agency said the widely known hackers behind these attacks are covers for the GRU operating under different aliases including Fancy Bear, APT 28, Sofacy, Pawnstorm, Strontium, Tsar Team, Sandworm, Voodoo Bear, Sednit, CyberCaliphate, Cyber Berku and BlackEnergy Actors.

British authorities said the attacks have been carried out “in flagrant violation of international law, had affected citizens in a large number of countries, including Russia, and had cost national economies millions of pounds.”

The NCSC has assessed with “high confidence” that the GRU was “almost certainly” responsible for the BadRabbit ransomware attack in October 2017 and the hacking of WADA’s Anti-Doping Administration and Management system and subsequent leaking of international athletes’ confidential medical files, including American Olympic gold medalist Simone Biles, tennis stars Venus and Serena Williams, and British cyclist Bradley Wiggins. It has also tied the agency to the 2016 hacking of the US Democratic National Committee and steady subsequent release of damaging emails and documents online by WikiLeaks in the run-up to the November election. Other attacks attributed to Russia, including the hacking of multiple email accounts belonging to a small UK-based TV station between July and August 2015.

Foreign Secretary Jeremy Hunt said the UK and its allies would “expose and respond to the GRU’s attempts to undermine international stability.”

"These cyberattacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport," Hunt said. “This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”

The announcement is part of the British government’s campaign to “shine a light” on the actions of the shadowy GRU. It is also the first time the UK has directly accused the GRU, rather than just the Russian state, of being responsible for cyberattacks. The NCSC’s report also accumulates the multiple names and attacks that have been tied to the GRU by security researchers.

Assessment

Our assessment is that Britain has taken a bold step in specifically naming Russia’s GRU as responsible for multiple cyberattacks targeting multiple Western nations and the leaking of confidential, damaging data to the public. While peacetime espionage is often employed by states and their intelligence agencies as a means to acquire key information and advantage over competitor states, the cyberattacks and pattern of behaviour linked to the GRU appear to indicate greater expansion and implementation of such strategies in cyberspace.

As the UK and its allies name specific Russian entities and individuals over such attacks – that may become more severe, frequent and sophisticated – it could lead to the imposition of more counter measures by the west including tighter economic sanctions.