According to UK’s National Cyber Security Center (NCSC), the cyber security arm of GCHQ, Britain will be hit by a life-threatening “category 1” cyber emergency in the near future. The NCSC’s annual review revealed it is currently repelling around 10 attempted cyber attacks every week, with “hostile states” said to be responsible for the bulk of thwarted strikes.
MI5, UK’s internal secret service defines “Cyberspace” as the term used to describe the electronic medium of digital networks used to store, modify and communicate information. It includes the Internet but also other information systems that support businesses, infrastructure and services.
A wide range of hostile actors use cyber to target the UK. They include foreign states, criminals, “hacktivist” groups and terrorists. The resources and capabilities of such actors vary. Foreign states are generally equipped to conduct the most damaging cyber espionage and computer network attacks.
Hostile actors conducting cyber espionage can target the government, military, business and individuals. They use computer networks, for example, to steal large volumes of sensitive data undetected. This might include intellectual property, research and development projects, strategic data on a company’s merger and acquisition plans, or any other information that the owner might want to protect.
Couple of weeks ago, in an unprecedented statement, the foreign secretary, Jeremy Hunt said the National Cyber Security Centre (NCSC) had found that a number of hackers widely known to have been conducting attacks around the world were covers for the Russian GRU intelligence service. He added that their attacks had been undertaken with the consent and knowledge of the Kremlin. The Foreign Office attributed six specific attacks to GRU-backed hackers and identified 12 hacking group code names as fronts for the GRU – Fancy Bear, Voodoo Bear, APT28, Sofacy, Pawnstorm, Sednit, Cyber Caliphate, Cyber Berku, Black Energy Actors, STRONTIUM, Tsar Team and Sandworm. These names have also been confirmed by National Cyber Security Center (NCSC) too. In the recent statements, GRU has been directly targeted which is Russia’s Military Intelligence. In its statement, Britain for the first time identified four cyber-attacks as Russian-sourced. They include an October 2017 attack through Bad Rabbit ransom ware that rendered IT inoperable, causing disruption to the Kiev metro, Odessa airport, Russia’s central bank and two Russian media outlets.
Further attacks attributed to Russia for the first time are the 2017 hacking of confidential medical files of international athletes under the control of the World Anti-Doping Agency, attacks on a small, still functioning British-based TV station and finally the 2016 hacking of the Democratic National Committee, which was used to take thousands of internal party emails published by outlets including Wiki Leaks during that year’s US presidential election campaign.
GRU is Russia’s Military Intelligence agency. It is also Russia’s largest foreign intelligence agency. Most of the times people mistake GRU for Russian KGB which is wrong. Let me clarify it for my readers that GRU did exist during the Soviet Union era alongside KGB but it did split from it in 1991 and since then has been working as Russia’s main military intelligence agency. GRU’s agents are mostly serving military officers, with some under civilian, diplomatic or business cover inside and outside Russia. The GRU generally operates independently but in some cases it liaises with other Russian agencies.
For the knowledge of my readers, I may also shed some light on Five Eyes Intelligence Alliance that has declared Russia and GRU a cyber security threat on numerous occasions. The Five Eyes (FVEY) brings the UK, the United States, Canada, Australia and New Zealand into the world’s most complete and comprehensive intelligence alliance. For more than 70 years now, the once-secret post-war alliance of the five English-speaking nations has been an infrastructure of surveillance with a global reach and ageing is not a problem for the FVEY, which remains one of the most complex and far-reaching intelligence and espionage alliances in our history.
On 16th April 2018 a joint statement by US and UK was given where they stated that they have been tracking Russian cyber attacks for the last 20 years or so. Infact Russia is not the only country blamed for Cyber attack in UK. The British authorities blamed North Korea in December 2017 for a cyber attack on UK health services. In March 2018 Iran was blamed to hack British universities and China based groups to hack think tanks in 2017. In April 2018 ISIS was blamed for specific cyber attacks.
Diplomatic tensions between UK and Russia started since the positioning of Russian double agent Sergei Skrip and his daughter in Salisbury this year. Russians are also blamed by Five eyes including UK for interfering with elections in different countries and also for damaging Russian companies. UK has blamed that Russia and GRU has no regard for international laws.
After Salisbury incident British Prime Minister Theresa May said that a counter Cyber Attack against Russia could be one option for retaliation in a threat. Extensive measure could be unleashed against Russia including sanctions, expelling diplomats etc,. UK has already already expelled 23 Russian diplomats. As per the Prime Minister other options are also on the table.
In case if British Government decides to launch its counter strategy, the potential targets would be;
- Russian state sponsored media
- Govt websites and internet connectivity infrastructure
- Dark web associated with Russian mafia and organised crime gangs
According to recent figures, UK is investing £1.9 billion per year on cyber security. One thing must be understood by all that it is absolutely impossible to provide total protection against cyber threats and attacks. This is exactly what was said by the Chief of NCSC in January 2018. Infact General Sir Nick Carter, Chief of Defence Staff, in the same week had highlighted the growing threat posed from cyber attacks, in particular from Russia , both on the battleground and on civilian services. Figures for cyber-attacks since the NCSC opened through to December last year underlined the pressure building on the UK from hackers. The NCSC recorded 34 C2 attacks, with Wanna Cry the most disruptive of these, and 762 slightly less serious C3 ones.
The main cyber threat to UK is twofold:
- Cyber operations (internet services, online banking, phones to tablets at homes, transport and health etc and a cyber attack could critically disrupt lives). Britain’s power and water supplies, internet and transport networks, and health services may also get affected as a result of a cyber attack;
- Information operations (manipulate social media feeds, plant fake news stories, blast tv and radio channels with propaganda etc. A lot of it could be achieved by stealth with stories manipulated in a pinpoint, targeted fashion at critical political junctures;
- Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows this actor to identify enabled Internet-facing ports and services, conduct device fingerprinting and discover vulnerable network infrastructure devices;
- The targets of this malicious cyber activity are primarily government and private-sector organisations, critical infrastructure providers and the Internet Service Providers (ISPs) supporting these sectors. Specifically, these cyber exploits were directed at network infrastructure devices worldwide such as routers, switches, firewalls, Network Intrusion Detection System (NIDS).
Russian cyber actors leverage several legacy or weak protocols and service ports associated with network administrations activities. These tactics can be used to identify vulnerable devices, obtain log in credentials, masquerade as privileged users, modify device firmware, copy or redirect victim traffic throughout Russian cyber-actor-controlled infrastructure and several other malicious activities.
“Absolute protection is neither possible nor desirable; it’s about having more resilience in the systems we care about the most, those where loss of service would have the most impact on our way of life” says Martin who is CEO of National Cyber Security Center.
Nevertheless, GCHQ, NCSC (National Cyber Security Center), CiSP (Cyber Security Information Sharing Partnership), ROCU (Regional Organized Crime Units) and Joint Cyber Reserve Force (JCRF) are the various departments that deal with cyber threats in UK.
The following steps must be taken by the Government towards UK cyber security;
- Monitor more exposed parts of their digital assets
- Cut down on functionality that can be exploited
- Set up intelligence gathering from wide sources
- Early warning system
- Senior representatives from utility, transport and internet firms in addition to the NHS are believed to have attended intelligence briefings at the National Cyber Security Centre (NCSC) on the specific methods being used by Russia to target Britain’s national infrastructure,
- Government must take steps to Improve defence, improve detection capability, improve response capability and make proper incident management plans.
- The Government must conduct a cyber risk assessment of its supply chain on a regular basis
- Mitigate the impacts of successful attacks
Last but not the least, The Five Eyes alliance – Australia, Canada, New Zealand, the United Kingdom and the United States – is deepening its coordination while increasing consultations with other nations to combat Chinese and Russian influence operations and investment. Although new countries have not been invited to Five Eyes meetings, the alliance is seeking to share its intelligence with partners such as France, Germany and Japan in order to counter foreign interference.
The group released a joint technical alert that provides information on five publicly available malicious cyber tools, including where and when they have been deployed. Although cyber threats rapidly develop their own capabilities, they often still use established tools and techniques. Highlighting that the list is by no means exhaustive, the alert gives general advice to system defenders on how to detect these tools and limit their effectiveness, and how to improve network defense practices.