Russian cyber operations have spread beyond the borders of Ukraine as NATO countries see attacks on energy and space assets.

The National Security Agency (NSA) Director of Cyber, Rob Joyce, made a statement recently expressing his concerns that Russia cyber activity would begin to spill over the Ukrainian border and into allied countries. And his concern appears to have been justified.

On December 20, Unit42 at Palo Alto reported on the activity of Trident Ursa, an advanced persistent threat aligned to Russian interests.

Trident Ursa have been operating since 2013 and have developed to become a prominent access creator into target networks and intelligence gatherer. This week it has been reported that Trident attempted to compromise a large petroleum refining company in a NATO member country.

This move comes within the ongoing battle over Russian oil. Prior to the attack, the western embargo on Russian oil products had little impact on exports due to Asian buyers stepping in to take advantage of low prices.

However, the attempt on NATO oil supply appears to work towards maintaining longer term competitive advantage.

Researchers at the Cybersecurity and Infrastructure Security Agency (CISA) have also recently discovered intruders within a U.S satellite network, which has been initially attributed to Russian APT (Advanced Persistent Threat) Fancy Bear.

Fancy Bear (APT28) have been operating since 2008 and are considered to have strong links to Russian military intelligence.

While details about the satellite network compromise are being withheld, a CISA incident responder has shared insight that APT28 were in the satellite network for several months.

Russian activity against the UK has slowly been building momentum. In November, DDoS activity was claimed against several UK councils. The following week the Royal Family, British Army and other UK organisations suffered minor DDoS attacks.

Trident Ursa have been observed switching from using lures written in Ukrainian to lures written in English, indicating an intention to target countries other than Ukraine.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).