State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns

State-linked hackers in Russia and Iran are targeting UK groups, NCSC warns

Sophisticated campaigns against politicians and media aim to steal secrets or embarrass high-profile figures rather than to extort money

NCSC warns organisations against clicking on links from people posing as conference hosts, journalists or even colleagues.

Russian and Iranian state-linked hackers are increasingly targeting British politicians, journalists and researchers with sophisticated campaigns aimed at gaining access to a person’s email, Britain’s online security agency warned on Thursday.

The National Cyber Security Centre (NCSC) issued an alert about two groups from Russia and Iran, warning those in government, defence, thinktanks and the media against clicking on malicious links from people posing as conference hosts, journalists or even colleagues.

Both groups have been active for some years, but it is understood they have recently stepped up their activities in the UK as the war in Ukraine continues, as well as operating in the US and other Nato countries. They aim to steal secrets – or leak correspondence online to embarrass high-profile figures – but not to extort money.

Paul Chichester, NCSC’s operations director, said the “threat actors based in Russia and Iran” from the two separate groups “continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems”.

The hackers typically seek to gain confidence of a target by impersonating somebody likely to make contact with them, such as by falsely impersonating a journalist, and ultimately luring them to click on a malicious link, sometimes over the course of several emails and other online interactions.

In one case, the Iranian group, dubbed Charming Kitten, held a fake zoom meeting with their target, and shared the malicious link “in the chat bar during the phone call”, the NCSC said. Sometimes two or more fake personas are used in a carefully crafted effort to convince a person their inquiries or business is legitimate.

Last year, the Russian Group known as Seaborgium or Cold River was accused by Google of hacking into and leaking correspondence involving the former director of MI6 Richard Dearlove and other hard Brexiters seeking to block Theresa May’s Chequers EU exit deal.

This year, the same group was accused of targeting three nuclear research laboratories in the US, creating fake login pages for each institution and emailing scientists who worked there to try to make them reveal their passwords. It is not clear if any of the efforts were successful.

Ultimately, and ideally having built a rapport, the hackers will try to lure a person to click on a link that takes them to a webpage where they will be asked to enter their password details. At this point, their email is compromised using a technique known as “spear phishing”.

Although the method is one of the oldest hacking techniques, what distinguishes the two groups is the effort made to fool their targets, including creating “fake social media or networking profiles that impersonate respected experts” and offering invites to nonexistent conferences supposedly relevant to their targets.

Once they have control of an account, the hackers sometimes use it to lure in others, because victims will have greater confidence if emails they send are genuine. Hackers also set up secret “mail-forwarding rules” in an effort to regain access to an email account even when the hack is detected and passwords reset.

Both groups are believed to be state directed, engaged in what are described as “cyber espionage” activities – but the British agency has not formally blamed the Russian or Iranian governments. When such attributions are made, they are done so by the foreign secretary or other Foreign Office ministers.

NCSC encourages people to use strong email passwords. One technique is to use three random words, and not replicate it as a login credential on other websites. It recommends people use two-factor authentication, using a mobile phone as part of the log on process, ideally by using a special authenticator app.

The cyber agency also advises people exercise particular caution when receiving plausible sounding messages from strangers who rely on Gmail, Yahoo, Outlook or other webmail accounts, sometimes impersonating “known contacts” of the target culled from social media.