UK and US Accuse Russian FSB of ‘Hack and Leak’ Operation

The U.K. government accused Russia’s domestic intelligence agency Thursday of running a yearslong campaign to interfere in British politics.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

The Ministry of Foreign Affairs said the Federal Security Service, Russia’s successor to the Soviet Union’s KGB, is responsible for a nearly 10-year-long spear-phishing campaign against lawmakers in multiple political parties and the leak of classified trade documents published ahead of Britain’s 2019 election. In 2018, it hacked the Institute for Statecraft in what appeared to be a bid to discredit the think tank’s work on Russian disinformation.

The British government sanctioned two individuals for their involvement in the campaigns: Ruslan Aleksandrovich Peretyatko, an FSB intelligence officer, and Andrey Stanislavovich Korinets, a member of the hacking group the U.K. says is behind the hacks. The government summoned the Russian ambassador although the Russian embassy in London said no evidence exists to tie Kremlin hackers to the campaigns, Reuters reported.

The United States also sanctioned the two men, and federal prosecutors unsealed a criminal indictment against them for phishing campaigns against intelligence, defense and Department of Energy government employees.

“I can confirm today that the Russian federal security services, the FSB, is behind a sustained effort to interfere in our democratic processes,” said Leo Docherty, a U.K. undersecretary of state, during a morning session of Parliament.

The U.K. and U.S. governments identified the hackers as belonging to an FSB unit known as Center 18. The actual phishing was conducted by a threat actor known as “Star Blizzard,” also known as the Callisto Group and Coldriver and formerly tracked by Microsoft as Seaborgium. Star Blizzard “is almost certainly subordinate” to Center 18, the U.K. government wrote. Microsoft last year wrote that the group tends toward “hack and leak” operations.

Today’s attribution of Star Blizzard to the FSB supplants earlier warnings about the group in which the U.K. government characterized it as being “Russia based.”

“Russia has a long-established track record of reckless, indiscriminate and destabilizing malicious cyber activity, with impacts felt all over the world,” Docherty said.

Universities, journalists, the public sector and nongovernment organizations, many of who “play a vital role in our democracy” have also been targeted by the FSB, he said.

Guidance released by the U.K. National Cyber Security Center on Thursday warns that the FSB hackers take pains to appear legitimate in their spear-phishing messages by researching targets’ interests and social and professional contacts. Most phishing emails arrive in targets’ personal email inboxes, and hackers often wait to send a malicious link until they’ve built a rapport with victims. The emails may arrive from a legitimate webmail provider such as Gmail or Proton, the NCSC said. The U.S. indictment accused Star Blizzard hackers of using spoofed email accounts that appear to originate from the work and personal email accounts of military officers and civil servants.

Microsoft on Thursday said Star Blizzard has focused on improving its techniques to evade detection, including by using email marketing platform services to hide true email sender addresses and bypass the need to have its own email infrastructure. Recorded Future in August reported the group changed its domain-naming syntax after researchers had spotted patterns emerging from a limited word list (see: Russian Hacking Group Shakes Up Its Infrastructure).

U.S. federal prosecutors in 2017 indicted two FSB officials, including a Center 18 officer, for hacking Yahoo webmail accounts.

Threat intel firm Mandiant said Center 18 has ties to cyberespionage activity known as Gamaredon, a threat actor that Ukrainian cyber defenders say is conducted by former Ukrainian SBU officers who defected to Russia during the occupation of Crimea (see: Gamaredon Hackers Amplified Hacks Amid Kyiv Counteroffensive).