“It is unprecedented that the government should so overtly point the finger directly at the GRU”
The UK’s National Cyber Security Centre (NCSC) has pointed the finger squarely at Russian foreign military intelligence for a sweeping range of cybersecurity incidents led by threat actor APT28, saying bluntly that it holds the Kremlin responsible.
The attribution comes as what was long considered a “gentleman’s game” conducted in the shadows becomes more overt and, as a result, has become a growing part of public diplomacy, with the British government taking an unprecedentedly forthright approach to identifying Russian intelligence activity following the Skripal poisoning.
The intelligence report blames Russia’s GRU for running multiple hacking fronts, naming 12, including those known as APT 28; Fancy Bear; Sofacy; Pawnstorm; Sednit; CyberCaliphate; Cyber Berkut; Voodoo Bear; BlackEnergy Actors; STRONTIUM; Tsar Team and Sandworm.
Many of these are, in fact, different names for the same threat actor long tracked by cybersecurity companies: APT28 (Advanced Persistent Threat 28) was associated with Russian interests and linked to the GRU four years ago for example.
The same group is also known as Fancy Bear/Sofacy/Strontium/Tsar Team, according to which cybersecurity company has done the monitoring of its activity; confusingly, some of the names are sometimes used interchangeably with the group’s delivery mechanisms: e.g. Sofacy is Kaspersky’s name for the threat group, but also used as a name just for the SOURFACE downloader; one of the group’s tools.
APT28: Different Names for the Same Threat Actor
FireEye in 2014, for example, said “since at least 2007, APT28 has been targeting privileged information related to governments, militaries and security organizations that would likely benefit the Russian government”, adding that it uses “flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.”
Crowdstrike named APT28 in 2016 as having a “profile [that] closely mirrors the strategic interests of the Russian government”, adding that it may indicated association with Russia’s “premier military intelligence service”
Foreign Secretary Jeremy Hunt said: “The GRU’s actions are reckless and indiscriminate…Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”
Malcolm Taylor, Director Cyber Advisory at ITC Secure and a former senior British Intelligence Officer told Computer Business Review in an emailed statement: “It is unprecedented that the government should so overtly point the finger directly at the GRU. They must be very confident of their facts, either due to some sort of technical ‘fingerprint’ in the attack vectors themselves, or perhaps through corroboration from various other intelligence sources.”
An earlier FireEye analysis pointed to the sophistication of the APT28 threat group identified as the GRU today, saying in an analysis of its common tools that: “A number of the malware variants that we profile below, especially the CHOPSTICK family, demonstrate formal coding practices indicative of methodical, diligent programmers. The modularity of CHOPSTICK alone, with its flexible and lasting platform, demonstrates planning for long-term use and versatility.”
The company added: “We have also noted that APT28… has attempted to obfuscate their code and implement counter-analysis techniques: one of the latest samples of CORESHELL includes counter-reverse engineering tactics via unused machine instructions. This would hinder static analysis of CORESHELL behavior by creating a large amount of unnecessary noise in the disassembly.”
SecureData CTO Etienne Greeff told Computer Business Review: “What should surprise us is when governments don’t use hacking techniques to project power. The genie escaped the bottle a number of years ago when the US and Isrealis used Stuxnet to damage the Iranian Uranium enrichment facility at Natanz.”
He added: “The reality is that governments will continue to develop tools that get used to further the foreign and domestic policy aims. These tools often leak out onto the Civilian Internet leading to attacks like Wannacry, Notpetya and many more. We are in an era where we have to realise that we as civilian businesses and individuals share the battleground with carrier grade adversaries.”
He concluded: “Government does have a role to play to protect civilians on an increasingly militarised Internet but companies need to understand that at some stage they are likely to become collateral damage and should have insurance and response plans in place to deal with the eventuality.”