NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructure

The NCSC has warned organizations operating critical national infrastructure (CNI) in the West to expect destructive cyber attacks from well-equipped Russia-aligned adversaries.

A “new class” of Russia-aligned cyber attacker has emerged over the past 18 months, it said in an alert timed with the opening of its annual CYBERUK conference, this year held in Belfast.

No specific groups were identified as being part of this “new class” of adversary, but Chancellor Oliver Dowden, who will speak at the opening keynote of CYBERUK today, branded them “Wagner-like groups”.

The NCSC said these groups are not-state sponsored.

This means they are comparatively less well-equipped, but also less operationally restricted by diplomacy and are therefore considered “less predictable”. 

They also, as a result, are able to target a much broader range of organizations.

“We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.”

The emerging groups are not considered powerful enough to deliberately and successfully execute a destructive attack on their own in the short term.

However, there is a suggestion that if they were given assistance, perhaps by Russian state-sponsored hackers loaned to them, then more damaging attacks could be carried out.

The NCSC also warned that these groups could feasibly become stronger over time, and it isn’t out of the question to think their capabilities could develop further, eventually shifting from disruptive to destructive.

Dowden is expected to say in his speech that the UK has become a prime target for Russia-aligned actors that adopt a “to disrupt or destroy” motive.

“Disclosing this threat is not something we do lightly,” Dowden will say. “But we believe it is necessary…if we want these companies to understand the current risk they face, and take action to defend themselves and the country.”

Russia’s history of harboring hackers

It has long been believed that Russia acts as a ‘safe haven’ for cyber criminals, allowing them to operate without fear of being prosecuted.

In the past it has been alleged that Russia has offered cyber criminals a choice between prison and enlisting, hacking for the country rather than for criminal proceeds.

A large number of the most successful ransomware organizations to have ever operated have been pinned to Russia. 

While not being state-controlled, they often target organizations that oppose Russian interests.

The US and UK are routinely among the most-attacked regions in the world by ransomware.

LockBit, REvil, DarkSide, and Conti are among the most high-profile ransomware gangs associated with the country.

Away from ransomware, one of the foremost disruptive cyber criminal groups with a Russian nexus is Killnet. 

The NCSC identified DDoS attacks as one of the most common disruptive techniques used against Western organizations, and these types of attacks are heavily used by Killnet.

According to cyber security researchers, Killnet’s primary tool is DDoS and has been observed in the past using these attacks against victims such as the Eurovision Song Contest’s voting systems and the European Parliament.

It also previously ‘declared war’ on Italy, promising attacks on CNI such as utility companies and any others with an Italian identity.

Killnet was also named specifically, among others, in a Five Eyes advisory from April 2022 highlighting the most threatening Russia-aligned cyber adversaries.

The intelligence alliance said at the time that CNI was thought to be at particular risk from attacks.

Russia’s past targeting of critical national infrastructure

At CYBERUK 2022, the NCSC announced that it officially attributed the attacks on Viasat, a satellite-based internet provider which has a presence in Ukraine, to Russian state-sponsored hackers.

The attacks took place one hour before the country invaded Ukraine.

Viasat experienced significant downtime and the effects of the attacks, which used wiper malware, were felt beyond the country impacting wind farms in other European countries, for example. 

While not believed to be ordered by the state, Darkside's ransomware attack on Colonial Pipeline is widely believed to be one of the most disruptive cyber attacks in history.

The US also indicted four members of the Russian government last year for their alleged roles in two attacks on CNI worldwide.

The first was the infamous attack on a Saudi Arabian petrochemical facility. 

It’s believed the Russian government developed malware that could have caused an explosion at the plant.

A separate attack on US-based CNI was also referenced in the indictments, but the attack was not detailed in any great length.

UK government’s response to Russian cyber threat

Dowden’s speech will make a nationwide call to businesses to focus on shoring up their cyber defenses as a result of this elevated threat from Russia.

He will also announce new plans to set security targets for CNI organizations by 2025 and bring them all into compliance with the cyber resilience regulations, in addition to new ways in which the government’s critical IT systems are being protected.

“These are the companies in charge of keeping our country running. Of keeping the lights on,” Dowden will say. “Our shared prosperity depends on them taking their own security seriously. 

“A bricks-and-mortar business wouldn’t survive if it left the back door open to criminals every night. Equally in today’s world, businesses can’t afford…to leave their digital back door open to cyber crooks and hackers.”

The NCSC advised CNI organizations to “act now” to manage the risk against future attacks.

It pointed to it various online guidance documents to help organizations assess their cyber resilience and how to change operationally when the cyber threat is heightened.