On 28 October 2019 the Russian military intelligence service, the GRU, carried out large-scale, disruptive cyber-attacks against a range of Georgian web hosting providers. It was described as the first significant example of the GRU using cyber-attacks to disrupt or destroy since late 2017 and resulted in websites being defaced, including sites belonging to the Georgian Government, courts, non-government organisations (NGOs), media and businesses. The attack also interrupted the service of several national broadcasters, says the UK’s National Cyber Security Centre (NCSC).
The NCSC says its attribution is made, “with the highest level of probability” (ie more than 95 percent), that the GRU was responsible for defacing websites, cyber-attacks and interruption to TV channels in Georgia in October 2019. Details on the framework used by the UK government for all source intelligence assessments, including the probability yardstick are provided here. Moscow has denied any involvement.
The cyber-programme responsible for these disruptions is variously known as the Sandworm team, BlackEnergy Group, Telebots, and VoodooBear. NCSC says it is operated by the GRU’s Main Centre of Special Technologies, often referred to by the abbreviation “GTsST” or its field post number 74455.
John Hultquist, senior director, intelligence analysis at FireEye responded to the announcement saying: “It’s very notable that Sandworm has been finally officially tied to GRU Unit 74455, confirming our prior analysis that it is one of the two GRU units that collaborated in 2016 election interference. In addition to the election interference, Ukraine blackouts, and the NotPetya incidents, we believe the organisation was behind an attack on the Pyeongchang Olympics. Notably, they have not been publicly admonished for their attempt to disrupt the Games, and we are concerned that the actors will target the Games in Tokyo this year.”
These cyber-attacks are described by the UK as being part of Russia’s long-running campaign of hostile and destabilising activity against Georgia as part of attempts to undermine Georgia’s sovereignty, to sow discord and disrupt the lives of ordinary Georgian people.
The UK Foreign Secretary Dominic Raab said: “The GRU’s reckless and brazen campaign of cyber-attacks against Georgia, a sovereign and independent nation, is totally unacceptable.
“The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law.
“The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU’s menacing behaviour.”
However for Mike Beck, global head of threat analysis at Darktrace, while he agrees, that: “The UK security services concerns are right on the money," when it comes to attribution, but adds: "this is about even more than destabilising government. Geopolitical tensions are spiralling out into cyber-space and we are seeing an escalation in politically-motivated attacks that seek mass disruption."
In an email to SC Media UK he goes on to explain that: “In the past, if nation states and cyber-criminals wanted to make a point they would go after other nation states. Now, they go after everything else too – from mainstream media to charities and private companies. Nation states are stress testing organisations at scale and sniffing around for vulnerabilities – it turns out, almost all systems are vulnerable.
“The threat from cyber-warfare will be an ongoing challenge for every single modern organisation around the world.”
This unit of the GRU is also believed to be responsible for:
BlackEnergy: December 2015 shut off part of Ukraine’s electricity grid, with 230,000 people losing power for between 1 to 6 hours
Industroyer: December 2016 shut off part of Ukraine’s electricity grid, also known as CrashOverride. It resulted in a fifth of Kyiv losing power for an hour. It is the first known malware designed specifically to disrupt electricity grids
NotPetya: June 2017 destructive cyber-attack targeting the Ukrainian financial, energy and government sectors and affecting other European and Russian businesses
BadRabbit: October 2017 ransomware encrypted hard drives and rendered IT inoperable. This caused disruption including to the Kyiv metro, Odessa airport, Russia’s central bank and two Russian media outlets
Hultquist adds: "The attacks in Georgia which were just attributed to Sandworm, the Russian actor behind NotPetya and the blackouts in Ukraine, are consistent with their prior behaviour. Attacks on media are a regular feature of Sandworm campaigns. Prior to the first blackout in Ukraine, they took media offline during their election there."