Cyber attacks on UK critical infrastructure likely

Following the participation of the UK in the recent air strikes on the chemical weapons facilities in Syria, a great deal of political and media speculation has been focusing on the possibility of Russian retaliation in the form of cyber attacks.

Foreign Secretary Boris Johnson announced that the UK must take “every possible precaution” to defend the country from attack. Pointing to the possibility of critical infrastructure being targeted, he said: “You have to take every possible precaution, and when you look at what Russia has done, not just in this country, in Salisbury, attacks on TV stations, on the democratic processes, on critical national infrastructure – of course we have to be very, very cautious indeed. But I want to stress, we in the UK do not seek an escalation, absolutely not.”

In recent years Russia has been accused of carrying out a range of highly damaging cyber attacks on infrastructure; notably, huge power outages in Ukraine in 2015 and 2016 were attributed to the Kremlin.

Russian state-sponsored hacker groups are highly sophisticated and very well organised, and while it is not possible to estimate the number of operatives involved in them, analysis of cyber threats facing organisations should include an awareness of the techniques which may be used.

Earlier this year, the US and UK governments both publicly blamed Russia for a the global NotPetya attack in 2017 that initially targeted Ukraine before spreading around the world.

At a broader level, the Mirai malware that first came to prominence in 2016 co-opts insecure IoT devices into a larger group, or botnet, to carry out massive DDoS attacks. While it has not been attributed to any particular nation state, it is still active in a variety of iterations and could be leveraged for sustained attacks on critical industries and services.

Phishing attacks pose another threat; companies should ensure that all employees within their organisations are once again reminded of the possible dangers inherent in unsolicited emails.

It is also important to be aware that smaller companies within an organisation’s supply chains could offer attractive – and much easier – targets for threat actors to focus on. Early in March we intercepted a leak that contained some 3.4 billion login credentials. When we examined the data, we were struck by how it had been processed, probably by a special automated exploitation tool, and archived into different types of credentials that could be harvested in a variety of ways. While the compilation may well have comprised much data that had been stolen in previous attacks, it should be noted that this in itself does not reduce the associated risk those leaked credentials may still pose to organisations affected by such compromises.

Another point worth noting is that it has been widely reported that the US Pentagon has identified a 20-fold increase in disinformation emanating from Russia since the strikes on Syria were launched, highlighting again the possibility of a new sustained propaganda campaign and the dissemination of ‘fake news’, led by the St Petersburg-based Internet Research Agency (IRA).

On a different note, while both the media and politicians have been focusing heavily on the threat posed by Russian-state-sponsored attacks, it is important to understand that the air strikes carried out in Syria are viewed as controversial in both the UK and around the world, and are therefore likely to lead to cyber operations being launched by a wide range of hacktivists - whether acting independently, as part of a collective, or indeed under government auspices.

Pro-islamic hacker groups might join Russia in targeting organisations in the UK, USA, France or other western countries seen as having supported the air strikes; and these attacks may be countered by pro-western groups setting their sights on infrastructure in the Middle East or Russia itself.Some state-sponsored groups may even take the opportunity to instigate new cyber espionage operations which they hope will be blamed on Russia.

Conspiracy theories – often a favourite of hacktivist collectives – have also been raised: these range from the Russian Foreign Minister Sergei Lavrov stating that the UK carried out both the alleged chemical weapons attack in Syria and the poisoning of the Skripals in Salisbury, and Kremlin assertions that the attack in Syria had been faked by the “White Helmets” humanitarian organisation, all the way through to allegations on social media that Israel was responsible for the children in Douma being gassed, or that the whole event either never took place, or was staged as part of the apparent dispute over which of two possible pipelines, one backed by the US, and the other by Russia, could run through Syria.

In the hacktivist sphere, we have already seen the launch of #OpPeace4Syria, in which members of the @Anonymous collective call for proof of the use of chemical weapons in Douma, and state that they are committed to fighting against all countries involved in Syria without that evidence having been presented. We may well also see attacks as part of various ongoing operations, including #OpSyria, #OpTurkey, #OpIran, #OpPalestine, #OpArabs, #OpMuslim, #OpIsrael or #OpYemen, in the near future.

UK companies operating both within this country and globally should therefore be on high alert for the possibility of being targeted not only by Russian state-sponsored hacker groups such as @FancyBear, @Carbanak or @Turla, but also by a range of other threat actors.

With the threat of highly damaging cyber attacks on the UK a real possibility, companies are advised to confirm their daily monitoring includes ensuring that they have an effective patch strategy in place, and that they utilise threat intelligence to keep them informed of the latest issues.