Russian Star Blizzard hackers linked to efforts to hamper war crimes investigation
The Russian hacking group Star Blizzard, accused of interfering in UK politics, is part of an aggressive FSB unit that sought to stoke scandal over Brexit, and hamper European NGOs investigating war crimes in Ukraine. It also stole the leaked UK-US trade documents released before the UK general election in 2019.
Russia’s cyberwar against the west, which accelerated after its 2014 annexation of Crimea, has been executed by a constellation of elite units operated by Russian foreign and military intelligence, as well as by an advanced group called Turla linked to the “16th centre” of Russia’s Federal Security Service (FSB).
But the lesser-known Centre for Information Security, or Centre 18 of the FSB, stood out for its willingness to leak hacked data for political purposes, analysts said, and for its longstanding use of proxies to fight towards the Kremlin’s political ends.
“The 16th is more sophisticated, technically,” said Andrei Soldatov, an investigative journalist and expert on the Russian security services. He compared that elite group to the UK’s GCHQ, calling it a “tech agency essentially”. By contrast, the 18th, which was well known for its spear-phishing and hack-and-leak campaigns, resembled “the CIA [getting] some tech and freedom to use proxies and criminals”.
While headquartered in an office block in downtown Moscow, the two members of Star Blizzard subjected to sanctions on Thursday each had ties to Syktyvkar, a remote regional capital nearly 1,000 miles to the north-east. One was an FSB officer, while the other was reported to be a “central figure” in the city’s hacking community, according to a security researcher quoted by Reuters.
The US has previously accused Centre 18 of hiring cybercriminals to carry out political attacks. In a 2017 US criminal indictment, Dmitry Dokuchaev, an FSB officer detailed to the unit, was accused of facilitating a massive hack of at least 500m Yahoo accounts and was said by prosecutors to have “protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the US and elsewhere”. Russia has denied that FSB officers, including Dokuchaev, were involved in the hack.
Recent targets of Centre 18 have included scientists at nuclear research laboratories in the US as Russian hacking groups have grown more aggressive since Vladimir Putin’s full-scale invasion of Ukraine.
But a hallmark of the group’s operations remain the theft and public release of sensitive documents and correspondence meant to sow political scandal.
In one leak in 2022 there was a release of emails sent by Richard Dearlove, head of MI6 from 1999 to 2004, to a private group of hard-Brexit supporters, which he said had united over concerns about the UK terms for exiting the EU.
In an article last year, Dearlove wrote that emails debating an aborted pressure campaign codenamed Operation Surprise had been “swiped from the computer of a retired professor in deepest England who I had emailed in the past”.
Dearlove claimed the emails were misconstrued when they were posted online under the title Very English Coop d’Etat, and that they described a “legitimate lobbying exercise”.
He wrote at the time: “The stolen emails were then strung together and published online in an attempt to create this dramatic scenario of farcical proportions. Which is how we were accused of mounting a pro-Brexit coup against the UK government.”
Attacks by Star Blizzard have involved harvesting information from social networking sites such as LinkedIn and use of social engineering techniques to “build a rapport” with targets, the UK’s National Cyber Security Centre has said. Star Blizzard would then deliver malicious URL links to steal sensitive credentials; once documents or correspondence were obtained they were posted online by anonymous leakers.
Another of the revelations on Thursday showed that the FSB stood behind the theft of UK-US trade documents from Liam Fox, at the time British secretary of state for international trade. The documents were released shortly before the 2019 UK general election.
With critical elections approaching in the US, potentially pitting Donald Trump against Joe Biden, analysts have warned that the group could again seek to sway the vote.
“This actor is one to watch closely as elections near,” wrote John Hultquist, chief analyst at Mandiant, a US cybersecurity firm. “The FSB clearly has an interest in political interference, and hacked emails are a powerful tool.”