NCSC Warns State-Linked Hackers In Russia, Iran Are Targeting UK

Beating the Barbarians: How to Protect Your Workers from Cyberattacks Image

Hacking groups linked to hostile states are conducting sophisticated campaigns against UK politicians and media, warns UK’s cyber guardian

GCHQ’s National Cyber Security Centre (NCSC) has issued a warning that the UK is being targeted by Russian and Iranian state-linked hackers.

These state linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns, NCSC warned.

The UK cyber guardian is warning organisations and individuals to stay vigilant to potential approaches and take action to secure online accounts.

The NCSC's headquarters in Victoria. NCSC, security
The NCSC’s headquarters in Victoria. NCSC

Russian, Iranian hackers

In its advisory, the NCSC highlighted the ongoing threat from spear-phishing attacks by Russia-based group SEABORGIUM and Iran-based group TA453.

“The UK has today (Thursday) warned of the threat from targeted spear-phishing campaigns against organisations and individuals carried out by cyber actors based in Russia and Iran,” it said.

Spear-phishing involves an attacker sending malicious links, for example via email, to specific targets in order to try to induce them to share sensitive information.

The NCSC advisory highlights that throughout 2022 separate malicious campaigns were conducted by Russia-based group SEABORGIUM and Iran-based group TA453, also known as APT42, to target a range of organisations and individuals in the UK and elsewhere for information-gathering purposes.

The attacks are not aimed at the general public but targets in specified sectors, including academia, defence, government organisations, NGOs, think-tanks, as well as politicians, journalists and activists.

“The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks,” said Paul Chichester, NCSC director of operations.

“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems,” said Chichester.

“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online,” Chichester concluded.

The NCSC said that this activity is typical of spear-phishing attacks, where the actor undertakes reconnaissance activity around their target to tailor their content before making an approach.

Mitigation advice

Contact may initially appear benign as the attacker looks to gain targets’ trust and build a rapport, before using typical phishing tradecraft to share malicious links that can lead to credential theft and onward compromise, the NCSC stated.

The advisory describes how approaches have been made via email, social media and professional networking platforms, with attackers impersonating real-world contacts of their targets, sending false invitations to conferences and events, and sharing malicious links disguised as Zoom meeting URLs.

Organisations and individuals are urged to follow this advice to mitigate the spear-phishing activity:

  • Use strong and separate passwords for your email account;
  • Turn on multi-factor authentication (also known as 2-step verification, or 2SV) ;
  • Protect your devices and networks by keeping them up to date;
  • Exercise vigilance;
  • Enable your email providers’ automated email scanning features;
  • Disable mail-forwarding

Pariah nations

Both Russia and Iran continue to find themselves isolated internationally, because of their hostile domestic and foreign activities.

Earlier this month the Russian government said it plans to introduce a law early this year that could ban certain professionals from working remotely outside the country, in a move to force the return of some professionals who have gone abroad.

Many Russians fled the country after its unprovoked invasion of Ukraine on 24 February of last year, and hundreds of thousands followed after a broader military mobilisation last September.

The Russian government estimates about 100,000 IT professionals currently work for Russian firms from outside the country.