UK government attributes attacks and threat groups to Russian intelligence agency GRU


The British government has taken the unusual step of assigning attribution to a number of attacks and threat groups to the Russian intelligence agency GRU.

The UK government has today accused the Russian government’s military intelligence agency, the GRU, of extensive cyber-attacks against British interests, including government, education, business and sport.

The National Cyber Security Centre (NCSC) has attributed attacks and threat actors as being instigated and controlled by the GRU. It said the attacks are a "flagrant violation of international law", cost millions of pounds and have affected people around the world including Russians.

It is a significant step for the intelligence services which are usually reluctant to assign attribution to attacks.

It follows the identification of two Russian agents in September 2017 by Dutch and Swiss authorities who presented evidence of a planned cyber-attack on  the Swiss lab analysing samples of Novichok from Salisbury and sarin gas from Syria.

It’s likely that British intelligence has had this intelligence for some time. The decision to go public with the attributions now will no doubt be linked to the recent revelation by independent journalists – and not denied by British intelligence – that the real identity of one of the Salisbury poisoning suspects has been revealed to be a highly decorated colonel in the Russian military.

According to the NCSC, the groups which the GRU are associated with are:

  • APT 28
  • Fancy Bear
  • Sofacy
  • Pawnstorm
  • Sednit
  • CyberCaliphate
  • Cyber Berkut
  • Voodoo Bear
  • BlackEnergy Actors
  • Tsar Team
  • Sandworm

Among the new attributions issued by the NCSC today are:

  • The BadRabbit attack in October 2017
  • The August 2017 attack on the World Anti-Doping Administration (WADA)
  • The 2016 hack of the Democratic National Committee (DNC)

The Foreign Secretary, Jeremy Hunt said: "These cyber-attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

"The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

"Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.

"Today, the UK and its allies are once again united in demonstrating that the international community will stand up against irresponsible cyber attacks by other governments and that we will work together to respond to them. The British government will continue to do whatever is necessary to keep our people safe."

Malcolm Taylor, director cyber advisory at ITC Secure and a former senior British intelligence officer, said: "It is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources.

"But I think it’s also important to consider who benefits from attacks against these specific targets – WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber-espionage and we all need to take appropriate steps to manage that risk."

Ollie Whitehouse, global chief technical officer at NCC Group, said that it’s clear that the UK government is no longer willing to tolerate Russian cyber-attacks.

"The danger doesn’t just stem from this group, but from the success of these campaigns. Democracies around the world are being targeted by a range of threat actors using a variety of methods, and we expect that cyber criminals will continue to target governments as long as they’re inspired by the success of groups like Fancy Bear," Whitehouse said.

"It’s therefore crucial to continue education and informed dialogue within governments worldwide around modern cyber threats, and ensure that staff at all levels are confident of the steps they need to take to address cyber-risk," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews