How Russian spies 'targeted the lab investigating the Salisbury Novichok attack'
Fake journalists, hospital outages and a plot to bring down the 2020 Olympics: the major hacking operation uncovered by a joint British and US counter-espionage operation has all the elements of a gripping spy novel.
But the reality of Russian intelligence unit 74455's alleged four-year rampage is billions of pounds in damage and thousands of real-world victims.
The US Department of Justice said on Monday that it was charging six GRU (Main Intelligence Directorate) officers with plotting against the 2018 South Korean Winter Olympics, Ukraine, Georgia and the 2017 French election.
In a parallel press conference, the UK government accused the GRU for launching “cyber reconnaissance” operations on both the 2020 Olympic and Paralympic Games due to be held in Tokyo before they were postponed because of the Covid-19 pandemic.
In each case, the conspirators worked to undermine or retaliate against nations - or organisations - which tried to bring Russia to heel, both governments said.
The Olympics became a target after Russian athletes were banned from participating under their nation’s flag because of a doping scandal. Electricity was switched off for hundreds of thousands of customers after a power grid attack in Ukraine, which it is in war with over disputed territory.
'They will take on any persona they need'
Perhaps most remarkable is the brazen attempt to intervene in investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the UK’s Defence Science and Technology Laboratory into the Russian unit’s own attempted assassination of double agent Sergei Skripal.
On April 6 2018, just three days after officials announced that Skripal and his daughter had been poisoned with Russian nerve agent Novichok, a 29-year-old Anatoliy Sergeyevich Kovalev allegedly looked up a respected British journalist and created a fake email account that mimicked his name and the organisation he worked for. Kovalev, an alleged GRU agent, used the address to send several emails to employees at the Porton Down laboratory with the subject line “Salisbury Spy Poisoning Investigation”.
The emails claimed to have critical evidence for the investigation and the sender needed the names of the officials who were investigating. Kovalev allegedly tried this method three times, pretending to be two different British and German reporters. He later tried the same trick on the independent Organisation for the Prohibition of Chemical Weapons (OPCW) which told him which UK government agencies he needed to speak to and their email addresses, the US Justice Department's indictment claims.
Armed with a list of targets, unit 74455 created an email account that appeared to come from inside the Ministry of Defence and sent dozens of emails which were boobytrapped with “destructive” malicious software.
This "spearfishing campaign", which became a hallmark throughout the entirety of the alleged plot, is commonly used to target businesses too. Typically, criminals sift through Linkedin profiles to guess corporate email addresses (like name.surname@companythatwillpayaransom.co.uk).
“Cyber operators will take on any persona they need to in order to get the job done,” says Adam Meyers, cyber intelligence senior vice president at Crowdstrike, the cyber security company which claimed that the Russians were responsible for hacking the US democrats’ emails ahead of the 2016 election.
“They will even use the email accounts of their victims to target other victims of interest”.
According to the indictment, Kovalev worked with Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Artem Valeryevich Ochichenko; and Petr Nikolayevich Pliskin, 32, using a variety of fake names and personas along with online tools like servers, domains and cryptocurrency provided by companies in the US and UK to conduct their cyber offensive.
They registered malicious websites and domains with names mimicking real ones and paid for this infrastructure using Bitcoin under fake names. They registered domain names and URLs that spoofed legitimate websites that their victims would be familiar with like email login pages, file sharing websites and password reset pages to try and trick unwitting employees into handing over usernames and passwords. Some, like in the case of the Porton Down lab, including attached documents that contained malware which could infect computers once clicked upon.
This proved successful when trying to hack the South Korean Olympics by mimicking a website belonging to the Korean Ministry of Agriculture, Food and Rural Affair. It helped the conspirators allegedly shut off power to 225,000 Ukrainian customers in 2015.
UK is becoming more prone to spoofing
The details of the Salisbury counter hack come after troubling research suggests that British organisations have become susceptible to spoofing attacks. Last month cybersecurity company Mandiant published a paper on FIN11, an established financial crime group that targets banks and retailers and is responsible for some of the largest and longest running malicious software attacks observed in history.
According to Mandiant, FIN11 mostly uses code signing certificates that appear to have been created on behalf of British organisations. Code signing certificates make malware appear like a legitimate document from inside an organisation.
“The rationale for spoofing UK-based organisations is unknown, though the explanation could be as simple as the ease with which actors can access corporate documents through the UK’s Companies House website,” says Jeremy Kennelly, Manager of Analysis, Mandiant Threat Intelligence.
Companies House is the digital register of all businesses in the country, which is publicly accessible and ripe for exploitation by hackers to conduct cyber campaigns.
“The use of code signing certificates that appear to have been created on behalf of UK-based organisations is a tactic that has been repeatedly used by FIN11, though certificates created in a similar manner have also been used by other criminals and criminal organisations,” Kennelly adds.
The UK may appear to be in less of a precarious position than the US but the importance of these events as elections loom cannot be understated. The US’ decision to file charges just weeks before the election is a political move, and it comes as the UK and the US gear up to negotiate privacy and data transfers - along with other critical trade negotiations.
Washington is making clear that Russia is still playing dirty after its alleged targeting of the 2016 elections, and is reminding the UK that it is not immune from its poison, whether it comes in the shape of a perfume bottle or an innocent email from a friendly journalist.
