Russian APT activity remains focused on influence operations
Target: US/UK & France
Attack Vector: Hacks & Data Leaks/Phishing Campaign/Influence Operations
Threat Actor: Russian APT groups
Summary: During the current reporting period, international tensions between the UK, the US and Russia have continued to remain at a high level as a result of the Sergei Skripal poisoning incident, and the alleged chemical weapon attack in Dhouma, which resulted in British, French and American airstrikes being carried out against Syrian regime targets.
The recent publication of the UK/ US joint technical safety alert number TA18-106A detailing how Russian APT actors have been using routers to leverage potential access to a large number of networks, illustrates that the cyber domain is seen as a key battleground by state sponsored entities. This document raises fears that Russia and allied nations may be preparing for a major disruptive cyber-attack against UK targets in retaliation for Western action against the Assad regime. However, at the time of writing, it appears that the main focus of state sponsored actors continues to be the expansion of influence operations.
Risk assessment summary: It is currently assessed that Russian APT actors present a 2b HIGH threat. Whilst the recent technical advisory detailed ongoing Russian attempts to compromise systems, this should be considered ‘business as usual’, rather than a specific Russian response to the Skripal and Syria crisis.
Given the proximity of the Russia 2018 Word Cup tournament, it is unlikely that Moscow would sanction a ‘digital Pearl Harbour’, unless the military situation in Syria leads to direct confrontation between Western and Russian military assets. If such a situation were to develop, especially involving fatalities, then a ‘Critical’ cyber threat level would be appropriate.
At present, increased levels of information warfare appears to be the limit of Russian retaliation and this is likely to remain the case until after the World Cup. System users should remain vigilant for any indicators of compromise on systems and to be aware of the risk of socially engineered and plausible phishing emails. Additionally, any escalation in the military sphere in Syria is almost certain to result in a concurrent escalation in the cyber domain, which could result in disruptive attacks being initiated. Monitoring of the threat environment will continue in order to identify further actionable intelligence.