The US and UK governments have joined forces to identify the GRU – the Russian military intelligence agency believed to behind the Skripal poisoning – as the source of a series of cyber attacks.
Investigators at the National Cyber Security Centre linked the agency, known as the GRU, to six high profile cyber attacks over the last three years, including hits on the US Democratic Party, Ukrainian infrastructure and the World Anti-Doping Agency.
Today’s announcement (4 October) marks the first time the UK has directly named the GRU as the perpetrator of the attacks. In a statement issued by NCSC, the foreign secretary Jeremy Hunt said the decision to name the agency signalled the UK and its allies’ desire to “expose and respond to” the agency’s “attempts to undermine international stability”. The Kremlin was ultimately responsible for the GRU’s work, the government said.
“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens,” Hunt added. “This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.”
The Russian government has since denied the claims. “The rich imagination of our colleagues from the UK truly has no limits”, Russian foreign ministry spokeswoman Maria Zakharova said on Thursday morning.
Further allegations emerged later in the day. At lunchtime, the Netherlands issued a statement claiming the GRU had also been behind an attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) around the time it was analysing the chemicals used in the Skripal poisoning in Salisbury. The agency has also been linked to attempted attacks on the Foreign and Commonwealth Office and Porton Down chemical laboratory.
In a joint statement, Theresa May and her Dutch counterpart said the “GRU’s reckless operations stretch from destructive cyber activity to the use of illegal nerve agents”.
The US government has now charged seven Russian spies over cyber hacking. All seven were linked to the attack the World Anti-Doping Agency. Four were also alleged to have carried out the attack on the OPCW. The GRU had been associated with a number of code names, including AP28, Fancy Bear, Sofacy, Pawnstorm, Sednit and CyberCaliphate, among others, NCSC said.
Commenting on the news, Avast security researcher Martin Hron said it is common for hacking teams to attempt to mislead analysts. “The most reliable way to attribute an attack is with physical proof, the proverbial catching the thief’s hand in your pocket by observing illegal activity on systems and tracing them to the source,” he added. “Another way is to compare code between the tools used by the hackers with previously-attributed attacks. The similarities in the code, such as internal naming, comments and the techniques used, can be used as evidence.”