Russia's FSB malign activity: factsheet

[zeynepaydogan]

https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet

Cyber operations and the Russian intelligence services

Russia is one of the world’s most prolific cyber actors and dedicate significant resource into conducting cyber operations around the globe. The UK government has publicly attributed malign cyber activity to parts of three Russian Intelligence services: the FSB, SVR and GRU, with each having their own remits.

A table of the parts of the Russian Intelligence Services that the UK Government has publicly attributed is below.

RIS cyber organogram

The FSB cyber programme

The FSB (Federal Security Service; Russian: (Федеральная служба безопасности (ФСБ)) is Russia’s state security agency and the successor to the KGB. Since its formation in (1995 the FSB has conducted electronic surveillance of equipment.

FSB Centre 16

FSB Centre 16 (16-й Центр) is responsible for cyber operations including the intercepting, decrypting and processing of electronic messages, and the technical penetration of foreign targets. Its full title is the Centre for Radio-Electronic Intelligence by Means of Communication (TsRRSS; Russian: Центр радиоэлектронной разведки на средствах связи (ЦPPCC)) and is also known as “Military Unit 71330” (V/Ch 71330) (Bойсковая часть B/Ч 71330).

When the KGB was disbanded in 1991, the 16th Directorate of the KGB became FAPSI (Russian: ՓАПϹИ) or Federal Agency of Government Communications and Information (FAGCI) (Russian :Փедеральное Агентство Правительственной Ϲвязи и Информации), a Russian government agency, which was responsible for signals intelligence (SIGINT) and security of governmental communications.

In 2003, FAPSI was dissolved, and the 3rd Main Department of FAPSI (responsible for SIGINT) was transferred to the FSB forming the basis for FSB Centre 16.

The emblem of FSB Centre 16 hints at its activities in cyberspace: a satellite dish (signifying SIGINT activity) and a key, broken by lightning, (signifying the breaking of an encryption key) are both present.

Cyber operations conducted by FSB Centre 16

FSB Centre 16 has been observed conducting cyber operations since at least 2010. They conducted significant campaigns against the energy sector in 2014 and the aviation sector in 2020.

Cyber operations against worldwide critical national infrastructure

Centre 16 of the FSB have targeted/gained unauthorised access systems in countries around the world that are necessary for a country to function and upon which daily life depends. Known as Critical National Infrastructure or CNI, Centre 16 has targeted systems essential for energy, healthcare, finance, education and local/national governments. This has been a concerted campaign over many years and in a wide range of countries across Europe, the Americas and Asia.

NCSC and cyber security companies have warned network defenders on multiple occasions of the risks posed by this pattern of activity. While there has been speculation of FSB involvement, the UK government is confirming this activity was carried out by FSB Centre 16 and providing further details of specific examples of this activity to increase awareness and transparency around the threat.

Table 2: Cyber operations against CNI

Date	Activity	Description of targets	Further information
June to July 2013	Compromised software package, turning the software into a Trojan, a legitimate appearing programme that contains malware	European manufacturer of programmable logic controller devices	Symantec report:https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments
April 2014	Compromised software	European developer of wind turbines, bio gas and other energy infrastructure	Symantec report:https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments
April 2017	Conducted malicious cyber activity	UK companies associated with the energy sector
October 2017	Gained unauthorised access to and compromised multiple networks through malicious cyber activity including spear phishing	European and North American energy sector	Symantec report: Dragonfly: Western energy sector targeted by sophisticated attack grouphttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks. Symantec indicate that the actors may have “access to operational systems”
March 2018	Conducted spear phishing, captured user credentials, gained unauthorised access to CNI and exfiltrated data	US energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors	US Cybersecurity and Infrastructure security agency advisoryhttps://www.cisa.gov/uscert/ncas/alerts/aa22-074a. [The advisory states that the activity detailed was performed by Russia government actors and points to the Symantec report detailed above (October 2017) that details malicious activity performed by the group called “Dragonfly”]
April 2018	Compromising UK organisations with focus on engineering and industrial control companies. Attackers may be able to access contact lists of hacked companies and establish long term access to networks	UK engineering and industrial control companies	NCSC advisory:https://www.ncsc.gov.uk/news/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
February 2020 to August 2020	Sustained and substantial scanning and probing of networks	American aviation sector	This reconnaissance could be used to gain access at a later date
September 2020 onwards	Targeted and exfiltrated data	American aviation sector and other key US targets	CISA alert AA20-296A

Cyber operations against dissidents, political opponents and the Russian public

The UK government has identified FSB Centre 16 actors using cyber operations to monitor or attempt to gain unauthorised access to the computer systems of dissidents, political opponents and the Russian public.

Table 3: Cyber operations conducted by FSB Centre 16 against dissidents, prominent Kremlin critics and the Russian public

Date	Activity	Further information
September 2017	Gained unauthorised access to the email address of an associate of Aleksey Navalny	Aleksey Navalny is a prominent critic of Putin and a strong advocate for democracy in Russia. In August 2020 Navalny was poisoned in Russia. Following treatment in Germany he returned to Russia and was arrested on arrival
October 2019 to January 2020	Posing as the Russian Federal Tax Service, conducted spear phishing against multiple Russian nationals	Many of the targets are critics of the current administration
February 2020	Attempted to Spear-phish the press secretary of Mikhail Khodorkovskiy	1: Mikhail Khodorkovskiy is a prominent critic of the Russian administration and currently resides in the UK. 2: Mikhail Khodorkovskiy has said he believes himself to be at serious risk from harm at the hands of the Russian state. He currently resides in the UK. The press secretary would be expected to have access to Mikhail Khodorkovskiy’s diary and travel plans
May 2020	Monitored the website “dossier.center”, a website set up by Mikhail Khodorkovskiy to expose corruption within the Russian government. This activity occurred shortly after the website released information about the FSB	This activity likely represents intelligence gathering against groups connected to Mikhail Khodorkovskiy

.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 23841 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20220406/997ad46d/attachment.txt>