Russia’s FSB Hacking UK Politicians, Warns NCSC

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, has warned Russian intelligence services are carrying out a “sustained” attack on UK politics and the democratic process in this country.

The NCSC in its announcement even identified the specific Russian unit, after it assessed the threat group responsible as being “almost certainly subordinate to Centre 18 of Russia’s Federal Security Service (FSB).” The FSB is of course the successor agency of the infamous (Soviet-era) KGB.

Last month NCSC had warned of the ‘enduring and significant’ threat to the UK’s critical infrastructure from hostile nation states, and stated that artificial intelligence poses a threat to the UK’s next general election, due to be held by January 2025.

Russian hackers

Earlier this year NCSC had identified the biggest cyber threat as stemming from Russia, which “continues to be one of the most prolific actors in cyberspace, dedicating substantial resources towards conducting operations around the globe and continuing to pose a significant threat to the UK.”

Now this week NCSC said that it and its international partners have “called out the Russian Intelligence Services for a campaign of malicious cyber activity attempting to interfere in UK politics and democratic processes.”

NCSC assessed that a group called Star Blizzard were using cyber operations to target high-profile individuals and entities.

The Star Blizzard group is also known as Callisto Group, Cold River and formerly Seaborgium.

The malicious activity of the Star Blizzard hackers includes:

• Targeting, including spear-phishing, of UK parliamentarians from multiple political parties, from at least 2015 through to this year;
• The compromise of UK-US trade documents that were leaked ahead of the 2019 General Election;
• The 2018 compromise of the Institute for Statecraft, a UK thinktank whose work included initiatives to defend democracy against disinformation, and the more recent hack of its founder Christopher Donnelly, whose account was compromised from December 2021 – in both instances documents were subsequently leaked;
• Targeting of universities, journalists, public sector, NGOs and other Civil Society organisations.

NCSC said the Russian hackers has also selectively leaked information obtained through its operations and amplified the release in line with Russian confrontation goals, including to undermine trust in politics in the UK and like-minded states.

New guidance

The UK Foreign Secretary David Cameron has described these attempts to interfere in UK politics as “completely unacceptable” seeking to threaten our democratic processes.

To support the announcement, the NCSC and partners from the US, Australia, Canada and New Zealand (i.e. the ‘Five Eyes’), have issued a new cyber security advisory, sharing technical details about how the actors carry out attacks and how targets can defend against them.

“Defending our democratic processes is an absolute priority for the NCSC and we condemn any attempt which seeks to interfere or undermine our values,” said Paul Chichester, NCSC Director of Operations.

“Russia’s use of cyber operations to further its attempts at political interference is wholly unacceptable and we are resolute in calling out this pattern of activity with our partners,” said Chichester.

“Individuals and organisations which play an important role in our democracy must bolster their security and we urge them to follow the recommended steps in our guidance to help prevent compromises,” said Chichester.

Russian hacking

This hacking may not be entirely a one way street. In June this year the FSB alleged the US National Security Agency (NSA) had conducted an espionage operation against Russian iPhone users, and was aided by Apple.

Despite that, it is clear Russia remains the most significant and persistence cyber threat to the West.

In August 2023 the Electoral Commission warned that “hostile actors” had breached its systems, and obtained data on all registered voters in the United Kingdom.

The Commission said at the time that hackers obtained the “name and address of anyone in the UK who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters.”

UK officials pointed the finger of blame at Russia, with Sir David Omand, a former director of GCHQ, stating that Moscow was the prime suspect.

Prior to that in February this year, British parliamentarian Stewart McDonald, the SNP Member Parliament for Glasgow South and a former defence spokesperson, publicly admitted he was hacked in January and his email system compromised, with suspicion pointed at Russia.

All of this has been ongoing for a while now.

Six years ago in 2017 for example, emails and passwords belonging to British MPs and high level public servants was traded online.

FSB hackers

John Hultquist, chief analyst at cybersecurity specialist Mandiant, pointed out that the Russian hackers, which it labels Cold River (i.e. Star Blizzard) has been publicly attributed to Center 18 of the FSB, one of multiple Russian security services that sponsor global cyber espionage.

“Center 18 has been previously publicly linked to intrusions into Yahoo! that involved a co-opted cybercriminal as well as intrusions by a young Canadian national who was hired to target accounts,” said Hultquist. “The Center is also tied to the Gamaredon cyber espionage activity, which is reportedly conducted by former Ukrainian SBU officers who defected to Russia during the occupation of Crimea.”

“Another FSB Center, Center 16, is tied to the infamous Turla cyber espionage activity, as well as a series of intrusions into global critical infrastructure best known as Energetic Bear,” said Hultquist.

“Cold River carries out global cyber espionage with a focus on Russia’s perennial interests like Western security and foreign policy,” said Hultquist. “What sets them apart from many of their peers, and makes them particularly dangerous, is their willingness to leak hacked data for political purposes. As recently as 2022 they leaked stolen emails from Brexit advocates in an effort to suggest a scandal.”

“Russia’s military intelligence service, the GRU, has received the lionshare of the attention when it comes to election related activity, which is only natural given their history of serious incidents in the US and France, but this actor is one to watch closely as elections near,” Hultquist concluded. “The FSB clearly has an interest in political interference, and hacked emails are a powerful tool.”

Not surprising

Meanwhile Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems (ACDS), also weighed in the NCSC warning.

“It is not hugely surprising to learn of the UK Government’s recent disclosure that the Russian security and intelligence apparatus has been engaging in persistent attacks on individuals and organisations with ties to government and security in the UK,” said Wilkes.

“We saw the lengths Russian state actors went to in order to impact the US elections in 2016 with sophisticated spear phishing campaigns,” said Wilkes. “The hope with these disclosures is that by naming the agency and specific team responsible, and calling the Russian diplomatic corps to answer on their behalf, is part of a recent trend by Western governments in ‘attribution’, a kind of ‘naming and shaming’ of those responsible for illegal activities.”

“What is interesting here is the co-ordinated disclosure of the UK government with an announcement by Microsoft giving details and context for the cyber crime, espionage and doxxing by the Russian Security Service group,” said Wilkes. “By calling out illegal cyber attacks, Western governments (and industry partners alongside them) are preventing the operators from hiding behind a veil of anonymity.”