Russian hacktivists blitz UK critical infrastructure and local government targets
Moscow-aligned threat actors "looking to cripple services and disable websites," National Cyber Security Centre (NCSC) warns.
Russian hackers have opened a new front in Moscow's cyberwar against the West with a fusillade of attacks against the UK.
The National Cyber Security Centre (NCSC) has warned that pro-Kremlin hacktivists are attacking critical infrastructure and local government targets in revenge for Britain's support of Ukraine.
These independent state-aligned actors are not believed to be operating under the explicit control of Vladimir Putin's cyber-Spetsnaz, but certainly support Moscow's geopolitical ambitions. As such, they are believed to be driven by ideology and support for the motherland rather than financial gain.
Councils and organisations in critical infrastructure have been urged to bolster their defences against denial of services attacks - relatively blunt weapons that may be crude but can still wreak significant damage.
The NCSC warned that successful DoS attacks can "disrupt entire systems". Whilst the impact of these attacks is not devastating on a civilisational scale, they are expensive to fix and can cause major disruption to services.
Jonathon Ellison, NCSC Director of National Resilience, said: "We continue to see Russian-aligned hacktivist groups targeting UK organisations and although denial-of-service attacks may be technically simple, their impact can be significant.
"By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day.
"All organisations, especially those identified in today’s alert, are urged to act now by reviewing and implementing the NCSC’s freely available guidance to protect against DoS attacks and other cyber threats."
Notes from Russia's hacktivist underground
The NCSC and its international allies have spent years warning about the threat posed by Russian hackers, which often operate at arm's length from the state but are clearly aligned with its interests.
It specifically named a group called NoName057(16) as a threat. This gang has been active since March 2022 and is known to have attacked both government and private sector entities in NATO member states and other European countries that it regards as hostile to Russian geopolitical interests.
READ MORE: China escalates cyberwar on Taiwan, aims to "paralyze" critical infrastructure
These attacks have included "frequent" DDoS attempts against UK local government targets.
The group lurks on Telegram and stores its digital weapons on GitHub as well as other, less obvious online repositories, using a proprietary tool called DDoSia, whilst openly sharing tactics, techniques, and procedures (TTPs) with its followers.
A warning about NoName057(16) was first issued way back in 2023 after a series of attacks on British operational technologies (OT) following the invasion of Iraq.
How to defend against Russian DoS attacks
British organisations are urged to toughen their defences following these guidelines:
Map points of vulnerability: Identify areas where attackers can "overload or exhaust available resources" and work out how to lock them down.
Secure upstream defences: Ensure your ISP offers DoS mitigations and explore campaign third-party defence options. Consider how your service provider might limit network access to protect other customers and consider whether it's wiser to use multiple providers.
READ MORE: Iran's exiled crown prince calls on hackers to attack regime's "information infrastructure"
Build with scaling in mind: Make sure systems can scale quickly when attacks bypass upstream defences. Applications and infrastructure should be able to expand automatically under heavy load, using cloud auto-scaling where possible or spare capacity in private data centres to absorb traffic surges.
Defining a response plan: Design services to keep running even if performance is reduced, a strategy known as graceful degradation, where non-essential features are switched off to preserve core functions. Prepare for attackers to change tactics during an incident, ensure administrators can still securely access systems, and put scalable fallback plans in place to keep essential services online.
