Security Experts:

Connect with us

Hi, what are you looking for?



UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

The U.K.

The U.K. Government Communications Headquarters (GCHQ), Britain’s secret eavesdropping agency, warns that ‘a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised’ following the discovery of ‘connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.’

The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK’s primary cyber intelligence agency, GCHQ.

From the little information available, it doesn’t appear as if there are any specifically known compromises — NCSC might simply be working from the statistical probability that if enough phishing attacks are launched, at least some will inevitably succeed. 

Spear-phishing is not specifically mentioned within the memo, although it does mention a separate, non-public report from the FBI and DHS last month suggesting the same attackers were using spear-phishing to deliver poisoned Word documents. Motherboard also points to a paywalled report in the Times, Saturday, which states, “Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt.”

The clear unproven implication is that Russian state-backed actors are specifically targeting the western energy sector. Having said that, however, the Times report differs from the FBI/DHS and NCSC memos by stating that the intention was “to infiltrate control systems… This would also have given them the power to knock out parts of the grid in Northern Ireland.”

Both the FBI/DHS and NCSC memos point to attacks against services organizations, indicating that in the UK and America, it is primarily the supply chain to the critical infrastructure that is being targeted. Indeed, the FBI/DHS statement comments, “There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

So, apart from the Times report, this would appear to be a large-scale campaign designed to find ways to infiltrate the critical infrastructure rather than anything designed to damage the critical infrastructure. This is probably standard practice for most cyber-advanced nations — ensuring they have the capacity to respond to a potential enemy if it ever becomes necessary.

The importance to an enemy and the potential danger to the critical infrastructure should not, however, be underestimated. A known and ready access route into, for example, the power grid, would be similar to having a nuclear deterrent primed and ready — there is no intention to use it, but accidents can happen.

Neither the FBI/DHS nor the NCSC names the attackers. The NSCS clearly has suspects since it recognizes the infrastructure used. The New York Times, however, implicates Russia. “Two people familiar with the investigation say that, while it is still in its early stages, the hackers’ techniques mimicked those of the organization known to cybersecurity specialists as “Energetic Bear,” the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012.”

Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.


A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.


Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.


Schneider Electric in recent months released patches for its EcoStruxure platform and some Modicon programmable logic controllers (PLCs) to address a critical vulnerability that...