UK blames Russia's GRU for cyber attacks targeting Georgia
UK accuses Russia of being behind a string of cyber attacks on neighbouring states
The UK has accused Russia's military intelligence service of masterminding cyber attacks last year on neighbouring Georgia.
The GRU, according to the National Cyber Security Centre (NCSC), was behind a campaign of attacks on a range of Georgian hosting providers in October last year, as part of a "long-running campaign of hostile and destabilising activity against Georgia".
The statement today accuses Russia's government of conducting the campaigns "in an attempt to undermine Georgia's sovereignty, to sow discord and disrupt the lives of ordinary Georgian people". Under its Professional Development Framework for All-Source Intelligence Assessment [PDF], the NCSC claims that it is 95 per cent certain that Russia was behind the attacks.
Foreign secretary Dominic Raab described the GRU's campaign as "reckless and brazen" and "totally unacceptable".
He continued: "The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law. The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU's menacing behaviour."
The particular group behind the Georgia attacks are known variously as the Sandworm team, BlackEnergy, Telebots, or VoodooBear [Google Docs spreadsheet].
The NCSC claims that it is the first example of GRU cyber attacks against a neighbouring state since a wave of cyber attacks against Ukraine between 2015 and 2017, These coincided with a campaign of military separatism in Ukraine's east, fuelled by Russian government arms, covert military assistance and funding. That followed on from the annexation of the Crimea by Russia in 2014.
According to the NCSC, this particular unit of the GRU was responsible for:
- The BlackEnergy shut off of part of Ukraine's electricity grid in December 2015;
- The Industroyer malware also known as CrashOverride, which resulted in one-fifth of Kyiv losing power for an hour in December 2016. It is the first known malware designed specifically to disrupt electricity grids;
- The June 2017 NotPetya worm, intended to cripple businesses across Ukraine by exploiting security weaknesses in an accounting package's update mechanism, but which also caused hundreds of millions of dollars of damage to businesses across the world; and,
- The BadRabbit ransomware released in October 2017, which caused disruption to the Kyiv Metro and Odessa Airport -- as well as Russia's central bank and two Russian media organisations.