The United Kingdom’s National Cyber Security Centre (NCSC) has revealed that a Russian-based advanced persistent threat (APT) group has been targeting several UK government networks and critical national infrastructure systems.
Background on Russian APT Group
This particular Russian APT group, also known as APT29 or Cozy Bear, has been active since the mid 2010s. The group is known for targeting government, diplomatic, think-tank, healthcare and energy organizations in Europe, North America, and Central Asia.
Cozy Bear typically gains access to networks through spear phishing and exploiting vulnerabilities in external web services. Once inside, the group exfiltrates sensitive data for intelligence purposes. Their tactics, techniques and procedures show a high degree of planning and coordination.
Details of Recent UK Attacks
The NCSC has been tracking Cozy Bear’s activities for several months. The APT group has attempted to gain access to multiple UK government networks, including:
- UK defense ministry networks – Likely seeking classified military information
- Foreign office networks – Potentially after diplomatic cables and foreign policy intel
- Other government agencies – Targeting sensitive information held by various departments
In addition to government networks, Cozy Bear has also targeted several critical national infrastructure organizations in finance, energy and transportation sectors.
The NCSC has not confirmed if the attacks were successful in breaching defenses and stealing data. However, the persistent targeting shows the group’s determination.
Links to Russian Intelligence Services
While not officially confirmed, security experts strongly believe Cozy Bear operates on behalf of one of Russia’s intelligence services, most likely the Foreign Intelligence Service (SVR).
The group’s sophisticated capabilities, choice of targets, and alignment with Russian interests point to state sponsorship. The UK government also believes the SVR is behind the group’s activities.
UK Government Response
The NCSC has been working closely with targeted organizations to investigate and remediate any breaches. They have also provided actionable mitigation advice to prevent future attacks, including:
- Patching services vulnerable to exploitation
- Enforcing multifactor authentication
- Monitoring for abnormal activity on networks
- Increasing overall network security posture
The UK calls on Russia to cease malicious cyber activity and abide by international law. However, the government promises to continue strengthening defenses and defeating attacks from Russian APT groups.
The public disclosure of recent attacks also serves as a deterrence, by showing the UK’s ability to detect sophisticated adversaries. It also allows affected entities to take necessary actions.
Conclusion
The activities of APT29/Cozy Bear demonstrate Russia’s willingness to target critical government and infrastructure systems in foreign nations. Their recent focus on UK networks is likely an attempt to gain geostrategic advantages.
However, the UK promises its resolve and capability to counter these threats will continue increasing. Ongoing cyber defense collaborations with allies are also working to combat Russian aggression in cyberspace.
