CISOs have been warning for some time that cybercriminal gangs – especially those with pro-Russian sympathies – could easily target critical infrastructure in the UK. In fact, in January and February 2023, the Royal Mail – the UK’s default mail carrier – was hit by a ransomware demand that crippled the organization’s ability to send or receive packages in or out of the country. The attackers claimed to be from the LockBit Group – a gang of criminals believed to have Russian backgrounds or sympathies. Certainly, they used some version of the LockBit ransomware framework.
So it should come as no surprise to anyone in power in the UK that pro-Russian groups could be targeting Britain’s potentially vulnerable critical infrastructure. In addition to the pressure of updating legacy systems in a digital transformation process and a recent history of political chaos and economic suicide, the country’s systems may have drawn interest from pro-Russian cybercriminal groups over former Prime Minister Boris Johnson’s swift condemnation of President Putin’s illegal invasion of Ukraine, and actions to freeze Russian assets in the UK.
Johnson was subsequently ousted from power after almost his entire cabinet resigned over questions of his honesty, and is currently facing an investigation over whether he misled the UK parliament during the Covid pandemic.
New announcement, old news.
But today, UK Minister Oliver Dowden told the CyberUK conference in Belfast that Britain’s national critical infrastructure was at risk from “Wagner-like” assailants (Wagner being a reference to Russian mercenaries currently trying to kill people in Ukraine).
Raising perhaps an eyebrow or two from anyone in the infrastructure security industry, to whom this was pre-existing knowledge, Mr Dowden, who is Chancellor of the Duchy of Lancaster, said that he did not “disclose this threat lightly.”
But he added that the government – and, more importantly, the National Cyber Security Centre – believed it was “necessary if we want these companies to understand the current risk they face, and take action to defend themselves and the country.”
Mr Dowden then announced plans to set cyber-resilience targets that critical sectors will be expected to meet within two years. He also said private sector companies working on critical infrastructure would be brought under the scope of resilience regulations.
Justifying the move, he explained that “These are the companies in charge of keeping our country running. Of keeping the lights on. Our shared prosperity depends on them taking their own security seriously.”
Spoiling for a fight.
It’s worth noting that the current UK government has been looking for a fight for some time, potentially to prove it still has verve and purpose against a backdrop of having been in power for 13 years, crashing the economy in one day one Prime Minister ago, overseeing an arguably disastrous Covid response two Prime Ministers ago (the UK had three Prime Ministers in 2022, despite all forming a single contiguous government), presiding over a cost of living crisis and now facing labor strikes in several sectors simultaneously.
Its current Home Secretary is famous for describing her “dream and obsession” as being able to send asylum seekers to Rwanda on planes, and for demonizing those who come to the country “illegally” – despite there being no legal routes for asylum seekers.
As such, it would be fair to say that the UK government will find it, at the very least, useful to have an external enemy at which it can direct its efforts.
But as we mentioned, the idea of pro-Russian cybercriminals attacking British critical infrastructure is not especially new, despite the announcement – which means it is especially plausible.
The investment shopping list.
Lindy Cameron, the CEO of the NCSC, also speaking at the Dublin conference, echoed Mr Dowden’s warnings, giving them additional weight.
“If the UK is to be the safest place to live and work online, then resilience must urgently move to the top of our investment shopping list,” she said.
In fact, the NCSC went as far as to issue an official threat alert to critical businesses, warning that pro-Russian cyber-gangs were likely to be “less predictable” than fully state-sponsored groups, as they are not subject to formal controls and levels of power.
“Some have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure, including in the UK,” the NCSC said.
“We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected.”
A recent Tech HQ interview with Mike McLellan, Director of Intelligence at the Secureworks Counter Threat Unit, seemed to confirm this assessment, in that older and more mature groups of cybercriminals are aiming to fly significantly below the radar of international response, while younger, newer players with a name to make may well go “off script” and launch attacks where they can.
Previous interviews with Deryck Mitchelson, Field CISO at Check Point, also particularly highlighted the threats to UK critical infrastructure – most notably the country’s national socialized medicine service, the NHS, which is currently undergoing significant digital transformation, but which also suffers from legacy equipment, radical understaffing, and also potentially significant staff demotivation – both nurses, paramedics, and junior doctors within the system are currently staging strikes over pay and conditions as a result of prolonged underfunding of the service.
“Show me the money!”
Mr Dowden’s announcement appears to entail more regulation on cybersecurity in critical national infrastructure companies and organizations, but did not appear to come with any mention of governmental financial support to insure those critical infrastructure elements against any imminent threat and “keep the lights on.”