The same Russian state hackers who unleashed NotPetya on the world's computers were behind destructive cyberattacks on Georgia during 2019, the governments of Britain and the US have said – echoing a similar attribution a decade ago.
"The National Cyber Security Centre (NCSC) assesses with the highest level of probability that on 28 October 2019 the GRU carried out large-scale, disruptive cyber-attacks," said the Foreign Office in a statement, referring to the main Russian overseas spy agency.
In a detailed statement the government department attributed the attack to a state-backed hacker crew "known as the Sandworm team, BlackEnergy Group, Telebots, and VoodooBear," to give it some of its open-source names. The statement continued: "It is operated by the GRU's Main Centre of Special Technologies, often referred to by the abbreviation 'GTsST' or its field post number 74455."
That field post number is the same one as for the Fancy Bear hacking crew, also known as APT28, a well-known and prolific Russian government cyber attack unit. Russia has few qualms about letting APT28 loose against foreign countries, as its attacks against Italy a few years ago showed.
Today's attribution comes after a number of cyberattacks in October last year saw a variety of Georgian web hosting firms and websites alike going dark and being defaced. Even Georgian TV stations were taken off air by the intensity and indiscriminate nature of the attacks.
Foreign secretary Dominic Raab, one of the few cabinet ministers not to be sacked in last week's reshuffle, declared: "The Russian government has a clear choice: continue this aggressive pattern of behaviour against other countries, or become a responsible partner which respects international law. The UK will continue to expose those who conduct reckless cyber-attacks and work with our allies to counter the GRU's menacing behaviour."
Determined to make the Russians blush, the Foreign Office went on to list some of the hacker crew's rap sheet:
- Blackenergy, which in December 2015 shut off part of Ukraine's electricity grid;
- Industroyer: Repeated the Blackenergy attack a year later, causing a fifth of Ukrainian capital Kiev to lose power for an hour;
- NotPetya: In June 2017 the destructive malware was unleashed to target Ukraine's financial, energy and public sectors, and which spread rapidly to the rest of the world; and
- BadRabbit: Ransomware that caused problems for the Kiev metro system, Odessa airport, Russia's central bank and two Russian media outlets, as we reported at the time.
Making it clear that Georgia is one of Britain's buddies these days, the Foreign Office said: "Georgia is a strategic partner to the UK. The UK supports a range of projects in Georgia and our annual Ministerial-level UK-Georgia Strategic Dialogue provides an important framework for continuing to develop our strong relationship. The UK was particularly grateful for Georgia's firm support following the attack on Salisbury in 2018, including in efforts to strengthen the [Organisation for the Prohibition of Chemical Weapons]."
An American statement in the name of foreign secretary Michael Pompeo said: "This action contradicts Russia's attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions."
The GRU's tradecraft hasn't been the hottest over the years. In 2018 researchers found a database of cars driven by GRU spies and hackers.
A decade ago Russia was also found to have been responsible for cyber attacks against Georgia, which appeared to have coincided with the former country's invasion of the latter. ®