On 16 March 2021, an important new report on national defence and foreign policy in the UK was published – ‘Global Britain in a competitive age’.[i] While in the report there is a focus on traditional forms of defence and the promise of an increase in spending on military hardware – including nuclear warheads – there is a noticeable emphasis on cyber threats.
It is stated that: “…we will continue to defend the integrity of our nation against state threats, whether in the form of illicit finance or coercive economic measures, disinformation, cyber-attacks, electoral interference or even – three years after the Salisbury attack – the use of chemical or other weapons of mass destruction”. What is apparent from this new report is that the evolution of technology has significantly changed threats to national security.
These now include the development of cyberweapons capable of targeting and paralysing critical infrastructure; ransomware attacks resulting in devasting financial costs for corporations and the insurance industry; long-running cyber-espionage operations focusing on the theft of government and commercial information; and even disinformation campaigns aimed at destabilising the entire political system.
Russia and China were identified in the report as posing the greatest threats to the UK. Some of the more notable quotes included: “Russia remains the most acute threat to our security”; and “China also presents the biggest state-based threat to the UK’s economic security”. It is no coincidence that these two countries were singled out. State-sponsored threat actors from both nations have been engaged in offensive cyber-related activities for many years, carrying out well-documented and widely publicised cyberattacks against western organisations; and in the last few months, both have been accused of conducting hugely damaging campaigns against government and corporate websites worldwide.
The first, which was discovered in late 2020, involved an attack on SolarWinds which has been widely attributed to Russian APT groups; the second, more recent campaign focused on Microsoft Exchange, and the blame for this has been placed squarely on Chinese state-sponsored threat actors.
The investigation into the threat actors responsible for the SolarWinds’ supply chain attack campaign is ongoing. The group was reportedly able to compromise the SolarWinds environment via covertly injecting a Trojanised update into the SolarWinds Orion platform. Over 18,000 organisations were thought to have downloaded the SUNBURST backdoor which was inserted into the Orion update server via the SUNSPOT implant.
Multiple sources have claimed this attack was orchestrated by the Russian state-sponsored APT CozyBear (aka APT29, TheDukes, Yttrium, and various other names). This is one of Russia’s major cyber-espionage groups; alongside FancyBear, it works on behalf of the Russian intelligence services. One of its most well-known operations involved the infiltration of the networks of the Democratic National Convention (DNC) in 2016 during the US presidential election. When carrying out this campaign, the group persisted in the compromised networks for months, harvesting files, emails, and valuable information while continuing to monitor all communications. Most recently, the group has been accused of targeting organisations involved in COVID-19 vaccine research and development.
CozyBear is suspected of being responsible for the SolarWinds campaign due to the breadth of the attack, and because the tactics deployed are like those seen in its previous operations. However, the identity of the threat actors is by no means certain. FireEye tracks the SolarWinds attackers as UNC2452; Microsoft has named that same group Nobelium. Investigations continue.
The SolarWinds campaign was followed in January this year by the news that a Chinese state-sponsored APT named Hafnium had been identified as behind attacks on Microsoft Exchange. The group was found to have exploited zero-day vulnerabilities in Microsoft’s Exchange servers’ Outlook Web Access to successfully compromise tens of thousands of email servers.[ii]
Hafnium primarily targeted US-based entities across several industry sectors, including infectious disease research, law, higher education, defence, and policy (think tanks and NGOs). However, the victims known so far have not been confined to the US. Other prominent organisations targeted include the European Banking Agency (EBA), the Ministry of Labor and Social Affairs of the Czech Republic, the Norwegian Parliament (Storting) and a Central Asian telecoms company. According to Check Point, the United States was the country most heavily targeted, (17% of all exploit attempts), followed by Germany (6%), the United Kingdom (5%), The Netherlands (5%) and Russia (4%).[iii]
As pointed out in the Global Britain report cited above, Russia and China both pose serious threats to the security of the UK. However, there are some puzzling contradictions in the government’s approach to both countries. For example, one other issue that has recently come to light concerns a new media room at Downing Street. It was revealed that the Russian company Megahertz was the main provider of equipment to be used for television briefings: they installed cameras, computers, microphones, and a control desk. Some years ago, Megahertz was bought by a UK branch of Moscow-based Okno-TV, which has carried out work for Russia Today and other state-controlled Russian media. According to the Huffington Post, current Megahertz shareholders include former workers at the Russian company.[iv]
This use of Russian expertise contrasts with the ban on Chinese telecommunications technology that was announced by the government in 2020, when Huawei was prohibited from participating in the roll-out of 5G in the UK, a decision resting on security concerns initially highlighted by the US. The government stated: “HUAWEI will be completely removed from the UK’s 5G networks by the end of 2027, the government has announced, following new advice produced by the National Cyber Security Centre (NCSC) on the impact of US sanctions against the telecommunications vendor.”[v]
Despite that block on Chinese involvement in the UK’s telecommunications infrastructure, and the government’s claim that the country poses an extremely serious threat to the British economy, the importance of developing deeper trading links with Beijing was highlighted in the Global Britain report; and yet at the same time an underlying distrust in the activities of state-sponsored Chinese APTs was clearly illustrated: “…we will increase protection of our CNI, institutions and sensitive technology, and strengthen the resilience of our critical supply chains so that we can engage with confidence nevertheless.”
Other issues which may have an impact on the development of stronger ties with China include human rights abuses against the Uighur Muslims, and the worrying political situation in Hong Kong. Russia, on the other hand, appears at present to be particularly agitated about the UK government’s plan to increase its nuclear stockpile, claiming that the move “harms global stability and strategic security”.[vi]
Some British politicians have voiced similar concerns: one particularly interesting response to the Global Britain report included the suggestion that the UK could launch nuclear weapons against a state in response to cyber-attacks. Tobias Ellwood, Conservative chairman of the Commons defence committee, said the UK government appeared to be “blurring the lines in what constitutes a justified retaliation employing nuclear weapons to now include comparable chemical, biological and even cyberattacks”.[vii]
There are no simple answers to these complex matters. We will explore them further in future blog posts, particularly in relation to threats involving cyber threats. In the meantime, all organisations are advised to ensure that their cybersecurity defences are fully up-to-date and that they apply software patches as soon as they are released.
Please refer to the SolarWinds security advisory[viii] and the alert issued by the National Cyber Security Centre.[ix]
For the latest news on the Microsoft Exchange attacks, please see the information published by the Cybersecurity and Infrastructure Security Agency[x] and by Microsoft.[xi]
Sources
[i] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/969402/The_Integrated_Review_of_Security__Defence__Development_and_Foreign_Policy.pdf
[ii] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
[iii] https://blog.checkpoint.com/2021/03/11/exploits-on-organizations-worldwide
[iv] https://www.huffingtonpost.co.uk/entry/russian-owned-megahertz-downing-street-media-refit_uk_604e42c0c5b672fce4ed8649
[v] https://www.gov.uk/government/news/huawei-to-be-removed-from-uk-5g-networks-by-2027
[vi] https://www.euronews.com/2021/03/17/russia-slams-uk-s-decision-to-boost-its-nuclear-arsenal
[vii] https://www.thetimes.co.uk/article/uk-builds-up-nuclear-arsenal-to-counter-cyberthreat-cl96v0wbb
[viii] https://www.solarwinds.com/sa-overview/securityadvisory
[ix] https://www.ncsc.gov.uk/news/advice-following-microsoft-vulnerabilities-exploitation
[x] https://us-cert.cisa.gov/ncas/alerts/aa20-352a
[xi] https://www.microsoft.com/security/blog/2021/03/12/protecting-on-premises-exchange-servers-against-recent-attacks