NCSC: “New class” of Russian cyber attackers seek to destroy critical infrastructure

Russia flag made with code
(Image credit: Getty Images)

The NCSC has warned organizations operating critical national infrastructure (CNI) in the West to expect destructive cyber attacks from well-equipped Russia-aligned adversaries.

What is the Wagner Group?

Flag of russia

(Image credit: Getty images)

Wagner Group is a Russia-aligned paramilitary group often considered as mercenary soldiers that share the objectives of the Russian military.

 It admitted this week to killing 40 children in Bakhmut as it helps Russian troops in the Ukraine conflict.

 Wagner Group is frequently associated with the 2014 Donbas war in Ukraine. It is believed to have played a role in the annexation of Crimea and assisted the Russian military with the conflict that was involved.

A “new class” of Russia-aligned cyber attacker has emerged over the past 18 months, it said in an alert timed with the opening of its annual CYBERUK conference, this year held in Belfast.

No specific groups were identified as being part of this “new class” of adversary, but Chancellor Oliver Dowden, who will speak at the opening keynote of CYBERUK today, branded them “Wagner-like groups”.

The NCSC said these groups are not-state sponsored.

This means they are comparatively less well-equipped, but also less operationally restricted by diplomacy and are therefore considered “less predictable”. 

They also, as a result, are able to target a much broader range of organizations.

“We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.”

The emerging groups are not considered powerful enough to deliberately and successfully execute a destructive attack on their own in the short term.

However, there is a suggestion that if they were given assistance, perhaps by Russian state-sponsored hackers loaned to them, then more damaging attacks could be carried out.

The NCSC also warned that these groups could feasibly become stronger over time, and it isn’t out of the question to think their capabilities could develop further, eventually shifting from disruptive to destructive.

Dowden is expected to say in his speech that the UK has become a prime target for Russia-aligned actors that adopt a “to disrupt or destroy” motive.

“Disclosing this threat is not something we do lightly,” Dowden will say. “But we believe it is necessary…if we want these companies to understand the current risk they face, and take action to defend themselves and the country.”

Russia’s history of harboring hackers

It has long been believed that Russia acts as a ‘safe haven’ for cyber criminals, allowing them to operate without fear of being prosecuted.

In the past it has been alleged that Russia has offered cyber criminals a choice between prison and enlisting, hacking for the country rather than for criminal proceeds.


Image of female and male colleagues looking at a computer

(Image credit: Okta)

Anatomy of identity-based attacks

Helping security teams mitigate identity-based attacks


A large number of the most successful ransomware organizations to have ever operated have been pinned to Russia. 

While not being state-controlled, they often target organizations that oppose Russian interests.

The US and UK are routinely among the most-attacked regions in the world by ransomware.

LockBit, REvil, DarkSide, and Conti are among the most high-profile ransomware gangs associated with the country.

Away from ransomware, one of the foremost disruptive cyber criminal groups with a Russian nexus is Killnet. 

The NCSC identified DDoS attacks as one of the most common disruptive techniques used against Western organizations, and these types of attacks are heavily used by Killnet.

According to cyber security researchers, Killnet’s primary tool is DDoS and has been observed in the past using these attacks against victims such as the Eurovision Song Contest’s voting systems and the European Parliament.

It also previously ‘declared war’ on Italy, promising attacks on CNI such as utility companies and any others with an Italian identity.

Killnet was also named specifically, among others, in a Five Eyes advisory from April 2022 highlighting the most threatening Russia-aligned cyber adversaries.

The intelligence alliance said at the time that CNI was thought to be at particular risk from attacks.

Russia’s past targeting of critical national infrastructure

At CYBERUK 2022, the NCSC announced that it officially attributed the attacks on Viasat, a satellite-based internet provider which has a presence in Ukraine, to Russian state-sponsored hackers.

The attacks took place one hour before the country invaded Ukraine.

Viasat experienced significant downtime and the effects of the attacks, which used wiper malware, were felt beyond the country impacting wind farms in other European countries, for example. 

While not believed to be ordered by the state, Darkside's ransomware attack on Colonial Pipeline is widely believed to be one of the most disruptive cyber attacks in history.

The US also indicted four members of the Russian government last year for their alleged roles in two attacks on CNI worldwide.

The first was the infamous attack on a Saudi Arabian petrochemical facility

It’s believed the Russian government developed malware that could have caused an explosion at the plant.

A separate attack on US-based CNI was also referenced in the indictments, but the attack was not detailed in any great length.

UK government’s response to Russian cyber threat

Dowden’s speech will make a nationwide call to businesses to focus on shoring up their cyber defenses as a result of this elevated threat from Russia.


Assassin's Creed hooded figure with Outlook, Salesforce, and Google icons in circles around him

(Image credit: Kaseya)

The 'cyber aSaaSin' manual

Providing valuable insights to identify SaaS data enemies and win the battle against SaaS data threats


He will also announce new plans to set security targets for CNI organizations by 2025 and bring them all into compliance with the cyber resilience regulations, in addition to new ways in which the government’s critical IT systems are being protected.

“These are the companies in charge of keeping our country running. Of keeping the lights on,” Dowden will say. “Our shared prosperity depends on them taking their own security seriously. 

“A bricks-and-mortar business wouldn’t survive if it left the back door open to criminals every night. Equally in today’s world, businesses can’t afford…to leave their digital back door open to cyber crooks and hackers.”

The NCSC advised CNI organizations to “act now” to manage the risk against future attacks.

It pointed to it various online guidance documents to help organizations assess their cyber resilience and how to change operationally when the cyber threat is heightened.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.