UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

The U.K. Government Communications Headquarters (GCHQ), Britain’s secret eavesdropping agency, warns that ‘a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised’ following the discovery of ‘connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.’

The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK’s primary cyber intelligence agency, GCHQ.

From the little information available, it doesn’t appear as if there are any specifically known compromises — NCSC might simply be working from the statistical probability that if enough phishing attacks are launched, at least some will inevitably succeed. 

Spear-phishing is not specifically mentioned within the memo, although it does mention a separate, non-public report from the FBI and DHS last month suggesting the same attackers were using spear-phishing to deliver poisoned Word documents. Motherboard also points to a paywalled report in the Times, Saturday, which states, “Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt.”

The clear unproven implication is that Russian state-backed actors are specifically targeting the western energy sector. Having said that, however, the Times report differs from the FBI/DHS and NCSC memos by stating that the intention was “to infiltrate control systems… This would also have given them the power to knock out parts of the grid in Northern Ireland.”

Both the FBI/DHS and NCSC memos point to attacks against services organizations, indicating that in the UK and America, it is primarily the supply chain to the critical infrastructure that is being targeted. Indeed, the FBI/DHS statement comments, “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

So, apart from the Times report, this would appear to be a large-scale campaign designed to find ways to infiltrate the critical infrastructure rather than anything designed to damage the critical infrastructure. This is probably standard practice for most cyber-advanced nations — ensuring they have the capacity to respond to a potential enemy if it ever becomes necessary.

The importance to an enemy and the potential danger to the critical infrastructure should not, however, be underestimated. A known and ready access route into, for example, the power grid, would be similar to having a nuclear deterrent primed and ready — there is no intention to use it, but accidents can happen.

Neither the FBI/DHS nor the NCSC names the attackers. The NSCS clearly has suspects since it recognizes the infrastructure used. The New York Times, however, implicates Russia. “Two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.”

Learn More at SecurityWeek’s ICS Cyber Security Conference