influence operations

Russian APT activity remains focused on influence operations

Target: US/UK & France

Attack Vector: Hacks & Data Leaks/Phishing Campaign/Influence Operations

Threat Actor: Russian APT groups

Summary: During the current reporting period, international tensions between the UK, the US and Russia have continued to remain at a high level as a result of the Sergei Skripal poisoning incident, and the alleged chemical weapon attack in Dhouma, which resulted in British, French and American airstrikes being carried out against Syrian regime targets.

The recent publication of the UK/ US joint technical safety alert number TA18-106A detailing how Russian APT actors have been using routers to leverage potential access to a large number of networks, illustrates that the cyber domain is seen as a key battleground by state sponsored entities. This document raises fears that Russia and allied nations may be preparing for a major disruptive cyber-attack against UK targets in retaliation for Western action against the Assad regime. However, at the time of writing, it appears that the main focus of state sponsored actors continues to be the expansion of influence operations.

Risk assessment summary: It is currently assessed that Russian APT actors present a 2b HIGH threat. Whilst the recent technical advisory detailed ongoing Russian attempts to compromise systems, this should be considered ‘business as usual’, rather than a specific Russian response to the Skripal and Syria crisis.

Given the proximity of the Russia 2018 Word Cup tournament, it is unlikely that Moscow would sanction a ‘digital Pearl Harbour’, unless the military situation in Syria leads to direct confrontation between Western and Russian military assets. If such a situation were to develop, especially involving fatalities, then a ‘Critical’ cyber threat level would be appropriate.

At present, increased levels of information warfare appears to be the limit of Russian retaliation and this is likely to remain the case until after the World Cup. System users should remain vigilant for any indicators of compromise on systems and to be aware of the risk of socially engineered and plausible phishing emails. Additionally, any escalation in the military sphere in Syria is almost certain to result in a concurrent escalation in the cyber domain, which could result in disruptive attacks being initiated. Monitoring of the threat environment will continue in order to identify further actionable intelligence.

Chemical attack Syria

Chemical attack in Syria provokes increased international tensions

Target: Government/Defense/Multiple Sectors


Attack Vector: Phishing Campaign/Vulnerability Exploits

Threat Actor: APT28 / APT29

Summary: On Saturday 7th April 2018, the White Helmets organization claimed that a chemical weapon attack had been

carried out against civilians in the Islamist rebel held town of Douma in Eastern Ghouta located just outside the Syrian capital Damascus. Unconfirmed reports suggest that at least 40 civilians were killed in the alleged attack with hundreds more affected. The incident has resulted in international condemnation against President Assad and his Russian ally President Putin. At the time of reporting, retaliatory airstrikes have been carried out against the Syrian T4 airbase near the city of Homs which have reportedly killed 14 people including Iranian personnel. Russia have claimed that two Israeli Air Force F15’s were responsible for firing eight guided missiles at the base during the attack and also stated that five of the missiles were shot down by air defense systems.

These latest incidents have markedly increased already strained international tensions, following the attempted murder of Sergei Skripal and his daughter Yulia on 4th March 2018 in Salisbury. The situation also mirrors the April 2017 chemical attacks in Syria, which provoked a number of retaliatory cruise missile strikes by the United States. This in turn led to the pro Russian actors The ShadowBrokers dumping a large number of NSA hacking tools into the public domain. This included the ETERNALBLUE malware, which led directly to the highly damaging WannaCry and NotPetya ransomware outbreaks.

Risk assessment summary: Given the current dynamic geo political climate, it continues to be assessed that a 2b HIGH threat of state sponsored activity exists to a broad spectrum of sectors although government and defense organizations remain

the most likely targets. The parallels between April 2017 and April 2018 are worrying and it should be expected that any nation which

participates in punitive military action against Syria will become a target for retaliatory cyber-attacks. Although harvesting and weaponisation of data continues to be the most likely current threat, if military conflict escalates in the region, it should be expected that critical infrastructure may also be targeted for disruptive attacks, especially those organizations which provide telecommunication services to the government or military sectors, however, the energy, health and finance sectors would also prove attractive targets to APT actors.

The Cisco vulnerability situation serves to illustrate that APT groups continue to be active in seeking to exploit any system flaws and is reminiscent of the way that ETERNALBLUE was used by North Korean actors to leverage the SMB vulnerability in order enable their WannaCry ransomware campaign, as did malicious Russian actors with their subsequent NotPetya outbreak. Given the direct correlation between military action in Syria in 2017 and these major cyber incidents, it should be anticipated that a similar situation may develop over the short to medium term in 2018 and it is strongly advised that all software patches and updates are applied.

System administrators should also anticipate cyber-attacks if the United States joins Israel in carrying out air strikes and move onto heightened awareness if military action reaches this point. Previous threat assessments regarding the Skripal situation remain valid and monitoring of the geo-political threat will continue in order to identify further actionable intelligence.