[1]https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activi ty-factsheet/russias-fsb-malign-activity-factsheet Cyber operations and the Russian intelligence services Russia is one of the world’s most prolific cyber actors and dedicate significant resource into conducting cyber operations around the globe. The UK government has publicly attributed malign cyber activity to parts of three Russian Intelligence services: the FSB, SVR and GRU, with each having their own remits. A table of the parts of the Russian Intelligence Services that the UK Government has publicly attributed is below. RIS cyber organogram The FSB cyber programme The FSB (Federal Security Service; Russian: (Федеральная служба безопасности (ФСБ)) is Russia’s state security agency and the successor to the KGB. Since its formation in (1995 the FSB has conducted electronic surveillance of equipment. FSB Centre 16 FSB Centre 16 (16-й Центр) is responsible for cyber operations including the intercepting, decrypting and processing of electronic messages, and the technical penetration of foreign targets. Its full title is the Centre for Radio-Electronic Intelligence by Means of Communication (TsRRSS; Russian: Центр радиоэлектронной разведки на средствах связи (ЦPPCC)) and is also known as “Military Unit 71330” (V/Ch 71330) (Bойсковая часть B/Ч 71330). When the KGB was disbanded in 1991, the 16th Directorate of the KGB became FAPSI (Russian: ՓАПϹИ) or Federal Agency of Government Communications and Information (FAGCI) (Russian :Փедеральное Агентство Правительственной Ϲвязи и Информации), a Russian government agency, which was responsible for signals intelligence (SIGINT) and security of governmental communications. In 2003, FAPSI was dissolved, and the 3rd Main Department of FAPSI (responsible for SIGINT) was transferred to the FSB forming the basis for FSB Centre 16. The emblem of FSB Centre 16 hints at its activities in cyberspace: a satellite dish (signifying SIGINT activity) and a key, broken by lightning, (signifying the breaking of an encryption key) are both present. Cyber operations conducted by FSB Centre 16 FSB Centre 16 has been observed conducting cyber operations since at least 2010. They conducted significant campaigns against the energy sector in 2014 and the aviation sector in 2020. Cyber operations against worldwide critical national infrastructure Centre 16 of the FSB have targeted/gained unauthorised access systems in countries around the world that are necessary for a country to function and upon which daily life depends. Known as Critical National Infrastructure or CNI, Centre 16 has targeted systems essential for energy, healthcare, finance, education and local/national governments. This has been a concerted campaign over many years and in a wide range of countries across Europe, the Americas and Asia. NCSC and cyber security companies have warned network defenders on multiple occasions of the risks posed by this pattern of activity. While there has been speculation of FSB involvement, the UK government is confirming this activity was carried out by FSB Centre 16 and providing further details of specific examples of this activity to increase awareness and transparency around the threat. Table 2: Cyber operations against CNI Date Activity Description of targets Further information June to July 2013 Compromised software package, turning the software into a Trojan, a legitimate appearing programme that contains malware European manufacturer of programmable logic controller devices Symantec report: [2]https://community.broadcom.com/symantecenterprise/communitie s/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-026 0-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5 e68&tab=librarvdocuments April 2014 Compromised software European developer of wind turbines, bio gas and other energy infrastructure Symantec report: [3]https://community.broadcom.com/symantecenterprise/communitie s/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-026 0-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5 e68&tab=librarvdocuments April 2017 Conducted malicious cyber activity UK companies associated with the energy sector October 2017 Gained unauthorised access to and compromised multiple networks through malicious cyber activity including spear phishing European and North American energy sector Symantec report: Dragonfly: Western energy sector targeted by sophisticated attack group [4]https://symantec-enterprise-blogs.security.com/blogs/threat-in telligence/dragonfly-energy-sector-cyber-attacks. Symantec indicate that the actors may have “access to operational systems” March 2018 Conducted spear phishing, captured user credentials, gained unauthorised access to CNI and exfiltrated data US energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors US Cybersecurity and Infrastructure security agency advisory [5]https://www.cisa.gov/uscert/ncas/alerts/aa22-074a. [The advisory states that the activity detailed was performed by Russia government actors and points to the Symantec report detailed above (October 2017) that details malicious activity performed by the group called “Dragonfly”] April 2018 Compromising UK organisations with focus on engineering and industrial control companies. Attackers may be able to access contact lists of hacked companies and establish long term access to networks UK engineering and industrial control companies NCSC advisory: [6]https://www.ncsc.gov.uk/news/hostile-state-actors-compromi sing-uk-organisations-focus-engineering-and-industrial-control February 2020 to August 2020 Sustained and substantial scanning and probing of networks American aviation sector This reconnaissance could be used to gain access at a later date September 2020 onwards Targeted and exfiltrated data American aviation sector and other key US targets CISA alert AA20-296A Cyber operations against dissidents, political opponents and the Russian public The UK government has identified FSB Centre 16 actors using cyber operations to monitor or attempt to gain unauthorised access to the computer systems of dissidents, political opponents and the Russian public. Table 3: Cyber operations conducted by FSB Centre 16 against dissidents, prominent Kremlin critics and the Russian public Date Activity Further information September 2017 Gained unauthorised access to the email address of an associate of Aleksey Navalny Aleksey Navalny is a prominent critic of Putin and a strong advocate for democracy in Russia. In August 2020 Navalny was poisoned in Russia. Following treatment in Germany he returned to Russia and was arrested on arrival October 2019 to January 2020 Posing as the Russian Federal Tax Service, conducted spear phishing against multiple Russian nationals Many of the targets are critics of the current administration February 2020 Attempted to Spear-phish the press secretary of Mikhail Khodorkovskiy 1: Mikhail Khodorkovskiy is a prominent critic of the Russian administration and currently resides in the UK. 2: Mikhail Khodorkovskiy has said he believes himself to be at serious risk from harm at the hands of the Russian state. He currently resides in the UK. The press secretary would be expected to have access to Mikhail Khodorkovskiy’s diary and travel plans May 2020 Monitored the website “dossier.center”, a website set up by Mikhail Khodorkovskiy to expose corruption within the Russian government. This activity occurred shortly after the website released information about the FSB This activity likely represents intelligence gathering against groups connected to Mikhail Khodorkovskiy . References 1. https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet 2. https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments 3. https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments 4. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks 5. https://www.cisa.gov/uscert/ncas/alerts/aa22-074a 6. https://www.ncsc.gov.uk/news/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control