Russian intelligence using Brexit phishing emails to hack targets
Hackers believed to be working for the Russian military intelligence service are using doubts about Brexit as a lure for victims.
Phishing emails detected by the cyber security department of services firm Accenture are masquerading as Brexit negotiation documents in order to dupe victims into downloading them.
According to Accenture, the creation of the malicious document on the same day that the British government announced its initial draft of the Brexit agreement suggests that the hackers are paying close attention to political affairs to develop their lure documents.
Although Britain has previously accused the GRU of a spate of cyber attacks, from an influence campaign targeting the 2016 US elections to the leaking of top athletes’ medical records, the attacks do not appear to be stopping.
The UK’s agreement with the EU was published on 15 November, the same date as the filename of the hacker’s malicious document. The agreement will be put to a parliamentary vote on 11 December.
There has been much speculation, concern and political manoeuvring ahead of this vote – which the GRU appears to be exploiting in order to convince victims to download the malicious document.
When victims opened the document they would have found it contained jumbled text which the hackers had designed, and a note encouraging the potential victims to enable macros.
By following the hackers’ instructions, the victim would have allowed the document to load malicious content controlled by the attackers – granting the GRU access to their machine.
There has never been a public assessment in the UK that Russia attempted to interfere in the referendum in a way it has been accused of doing in the US presidential election.
Michael Yip, security principal at Accenture Security’s iDefense department, told Sky News that the team had completed a lot of work tracking the GRU-connected hackers.
Known internally as SNAEMACKEREL, tracking the group allowed iDefense to reach the conclusion that the phishing campaign was connected to the military intelligence directorate.
“Based on the observed targeting by this threat group over the past few years, we assess with moderate confidence that they are likely to have targeted government, politics, think tanks, ministry of foreign affairs (MFAs) and defence organisations in the US, Europe and former eastern bloc,” Mr Yip stated.
Although Accenture could not confirm whether the majority of targeted individuals were based in the UK, Mr Yip said that the hackers were likely to have achieved moderate-to-high success with the phishing campaign.