The same hacking group that targeted the US political system in the run-up to the country's presidential election last year was able to infiltrate the computer systems of a UK television network for almost a year, security experts have revealed.
The network has not been named for legal reasons, and likely due to the strict non-disclosure agreements surrounding breach probes. Yet analysts from SecureWorks, a cybersecurity firm, say hackers gained access in July 2015 and remained undetected for up to 12 months.
The hacking group, known as Fancy Bear, or APT28, is a sophisticated and well-resourced team allegedly responsible for infiltrating the US Democratic National Committee (DNC), the World Anti-Doping Agency (Wada) and the German parliament.
According to existing profiles, it uses spearphishing and malware implants to target personnel with access to government, military, security and media networks. Its successes in the US have been well-documented, but its UK operations less so.
SecureWorks said the computer exploits used to attack the UK television station were the same uncovered from previous attacks and matched those often relied on by Fancy Bear, which is strongly suspected to have links to Russian intelligence services.
Lee Lawson, SecureWorks' counter threat unit expert who previously worked for the British Ministry of Defence (MoD) told a Channel 4 programme (aired on 25 January 2017) the "same backdoor" used by the DNC hackers was deployed against this unnamed station in the UK.
He said: "[The hackers were] able to see any communications coming in and out of that organisation, whether that's internal communications, about the TV station as a business, or indeed any stories coming in or being [discussed] by journalists."
In this instance, the network was not tampered with and some suggest it may have been a "test-run" for future operations. The timeline of the cyberattack campaign is roughly the same as the US-based operation, which led to a series of leaks and disclosures.
"[Fancy Bear] are active in Europe and they have various targets," said Baroness Neville-Jones, who was the UK Security and Counter-Terrorism minister between 2010 and 2011. She added: "One shouldn't be surprised they would be interested in media outlets."
The attacks are mounting
The latest revelation provides greater context to previously-known hacks against British targets. Last September, it emerged that GCHQ, the UK equivalent of the NSA, had dismantled a cyberattack plot against TV broadcasters including the BBC, ITV, Channel 4 and Sky.
In an official report, released in August 2016, David Anderson QC, the former independent reviewer of terrorism legislation, said the cyber warfare incident was a "possible imminent threat" to the UK. But unknown at the time was the extent of the hack.
Anderson, recalling the destructive 2015 cyberattack against France's TV5Monde, also believed to have been orchestrated by Fancy Bear, revealed GCHQ had used its bulk interception powers to link that attack to another scheme taking place during the UK's election period.
He wrote: "Media organisations were briefed to enable them to protect their networks. Since then, a particular UK media company has been alerted to a compromise by the same attackers and has been able to clean up its networks."
The TV5Monde incident was described as an unprecedented attack at the time, taking roughly a dozen channels offline and costing millions of euros worth of damages.
In a broad sense, the attacks appear to be linked, indicating that Fancy Bear is coordinated, efficient and persistent. Operations escalate during election periods, and German officials have already reported a spike in cyberattacks matching the hacking team's profile.
"Such activity is not new to Moscow," the US Intelligence Community (IC), made up of agencies including the FBI and NSA, wrote in October 2016. It added: "We believe [...] that only Russia's most-senior officials could have authorised these activities."
In light of the Channel 4 report, the Russian embassy in London said: "Without any details and proof, we cannot make a judgement on this allegation [...] this is a murky business, a sort of free-for-all in terms of politicisation and seems to be used as a means of keeping afloat the Cold War politics."
How Fancy Bear hack
"APT28 is known for leveraging domains that closely mimic those of targeted organisations and tricking potential victims into entering legitimate credentials. APT28 actors relied heavily on shortened URLs in their spearphishing email campaigns.
"Once APT28 [...] has access to victims, they exfiltrate and analyse information to gain intelligence value. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organisations, establish command and control nodes, and harvest credentials and other valuable information from their targets."