Press release: UK exposes Russian cyber attacks

Today, the UK and its allies can expose a campaign by the GRU, the Russian military intelligence service, of indiscriminate and reckless cyber attacks targeting political institutions, businesses, media and sport.

The National Cyber Security Centre (NCSC) has identified that a number of cyber actors widely known to have been conducting cyber attacks around the world are, in fact, the GRU. These attacks have been conducted in flagrant violation of international law, have affected citizens in a large number of countries, including Russia, and have cost national economies millions of pounds.

Cyber attacks orchestrated by the GRU have attempted to undermine international sporting institution WADA, disrupt transport systems in Ukraine, and destabilise democracies and target businesses.

This campaign by the GRU shows that it is working in secret to undermine international law and international institutions.

The Foreign Secretary, Jeremy Hunt said:

These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.

Today, the UK and its allies are once again united in demonstrating that the international community will stand up against irresponsible cyber attacks by other governments and that we will work together to respond to them. The British government will continue to do whatever is necessary to keep our people safe.

As the Prime Minister said in Parliament on 5 September 2018, the UK will work with our allies to shine a light on the activities of the GRU and expose their methods.

The UK’s National Cyber Security Centre assess that the GRU is almost certainly responsible for the cyber activities listed below. Given the high confidence assessment and the broader context, the UK government has made the judgement that the Russian government – the Kremlin – was responsible.

The GRU are associated with the names:

  • APT 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • STRONTIUM
  • Tsar Team
  • Sandworm
Attack NSCS Assessment
In October 2017, BadRabbit ransomware encrypted hard drives and rendered IT inoperable. This caused disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets. NCSC assess with high confidence that the GRU was almost certainly responsible.
In August 2017, confidential medical files relating to a number of international athletes were released. WADA stated publicly that this data came from a hack of its Anti-Doping Administration and Management system. NCSC assess with high confidence that the GRU was almost certainly responsible.
In 2016, the Democratic National Committee (DNC) was hacked and documents were subsequently published online. NCSC assess with high confidence that the GRU was almost certainly responsible.
Between July and August 2015 multiple email accounts belonging to a small UK-based TV station were accessed and content stolen. NCSC assess with high confidence that the GRU was almost certainly responsible.

Previously attributed

Attack NCSC Assessment
In June 2017 a destructive cyber attack targeted the Ukrainian financial, energy and government sectors but spread further affecting other European and Russian businesses. The UK government attributed this attack to the GRU in February 2018. NCSC assess with high confidence that the GRU was almost certainly responsible.
In October 2017, VPNFILTER malware infected thousands of home and small business routers and network devices worldwide. The infection potentially allowed attackers to control infected devices, render them inoperable and intercept or block network traffic. In April 2018, the NCSC, FBI and Department for Homeland Security issued a joint Technical Alert about this activity by Russian state-sponsored actors.

Newsdesk