The United Kingdom and Australia have officially blamed Russia for several high profile attacks, including the Bad Rabbit ransomware campaign.
A statement published by the U.K. government on Wednesday reveals that the country’s National Cyber Security Centre (NCSC) has linked several cyber threat actors to Russia’s GRU military intelligence service.
The NSCS believes that the GRU is behind the groups tracked by various security firms as APT28, Fancy Bear, Pawn Storm, Sofacy, Sednit, Cyber Caliphate, Cyber Berkut, BlackEnergy, Voodoo Bear, Strontium, Tsar Team and Sandworm. While many of these names represent the same threat actor, the line between the operations carried out by various Russian groups often gets blurred, as shown by the recent VPNFilter attack.
The NCSC says that the GRU is “almost certainly” responsible for the Bad Rabbit ransomware attack in October 2017, the August 2017 attack on the World Anti-Doping Agency (WADA), the 2016 attack on the U.S. Democratic National Committee (DNC), and an attack on a small TV station in the UK in the summer of 2015. It’s worth noting that the U.S. has previously accused Russia of election-related hacks and even charged 12 intelligence officers.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens. This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences,” said British Foreign Secretary Jeremy Hunt. “Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
The Australian government has accused Russia’s GRU for the same attacks, but admitted that Australia itself was not significantly impacted by any of the campaigns.
“Cyberspace is not the Wild West. The International Community – including Russia – has agreed that international law and norms of responsible state behaviour apply in cyberspace. By embarking on a pattern of malicious cyber behaviour, Russia has shown a total disregard for the agreements it helped to negotiate,” reads a statement from Australia’s prime minister and minister of foreign affairs.
Australia says there must be consequences for these types of actions and public attribution is only the first step.
“It is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources,” Malcolm Taylor, Director Cyber Advisory at ITC Secure and a former senior British intelligence officer, told SecurityWeek.
“But I think it’s also important to consider who benefits from attacks against these specific targets – WADA, Ukraine and the West in general. The answer to that question of course includes, and may indeed be limited to, Russia and Russian foreign policy interests. The mention of western businesses as targets should also be a reminder that foreign intelligence services do engage in commercial cyber espionage and we all need to take appropriate steps to manage that risk,” Taylor added.
Related: Norway Accuses Russia of Cyberattack