The UK’s FCDO (Foreign, Commonwealth and Development Office) was recently hit by a “serious cyber security incident”, according to a public tender document.
According to the BBC, the attackers were able to breach the FCDO but were detected thanks to the support of third-party cyber security experts, who were called in “with extreme urgency”.
It’s not believed that any sensitive information was breached, yet there remain worrying questions over how the incident became public.
The Stack, which broke the story, was alerted to the attack after discovering a tender document that was published, seemingly by mistake, on the government’s website.
The tender information page shows that the FCDO paid its cyber security contractor, BAE Systems Applied Intelligence, £467,325.60 on 12 January.
The document explained: “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation.”
It continued: “Due to the urgency and criticality of the work, the Authority was unable comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.”
When approached for comment, the FCDO told The Stack that it would “not comment on security but [had] systems in place to detect and defend against potential cyber incidents”.
Who was responsible for the attack?
When governments are targeted by cyber attacks, the blame almost immediately falls on nation states. Russia and China have both recently been linked to cyber espionage and sabotage aimed at government agencies – with Russia accused last month of a widespread attack on the Ukrainian government website.
That attack came as Russian troops massed along the Ukrainian border, followed by a pre-emptive strike on Belarus by a pro-Ukrainian group called Cyber Partisans.
The ‘hacktivists’ claimed responsibility for a ransomware attack on the Belarusian railway system, which was reportedly being used by Russia to transport tanks and weapons into the region.
It led to worrying signs that the tensions would play out as an online proxy war, with UK and other countries that opposed Russia’s military action coming under attack.
Two weeks after the FCDO paid its cyber security contractor, the UK’s NCSC (National Cyber Security Centre) warned businesses that they could be targeted by Russian cyber criminals.
Whether this attack was conducted by Russian actors remains to be seen. Indeed, it’s not clear whether it was a nation-state at all.
However, that remains the most likely answer given the current cyber security landscape – particularly in the wake of COVID-19.
As we discussed last year, the pandemic ramped up governments’ cyber espionage activities. Besides Russia and China, many other countries identified the cyber security implications of COVID-19, and began using cyber espionage more aggressively.
The increased activity has also forced governments to look at their counter-espionage strategies. As John Hultquist, Director of Threat Analysis at Mandiant, explained: “It’s a free-for-all out there – and with good reason – you don’t want to be the intelligence agency that doesn’t have a good answer for what’s going on.”
Should you be worried?
Although the FCDO is confident that no information was breached in this attack, there is still reason to be concerned.
IT Governance Systems and Security Engineer Adam Seamons said: “Criminals rarely tackle government or military groups without serious backing, so an educated guess would point to an APT (advanced persistent threat) supported by a nation state.
“Even if sensitive data wasn’t compromised, the turmoil of a breach and the embarrassment caused is often enough to warrant this sort of incident as a win for the attacker. With the current geopolitical climate heating up (Ukraine, Hong Kong, Taiwan, etc.), we’d expect to see more attacks on governments and institutions.
“It speaks volumes to the current state of national cyber security that contractors were brought in to help deal with this, not to mention the fact that details of the incident have accidentally been leaked.”
Cliff Martin, an incident responder at IT Governance, added: “UK Government organisations are constantly being targeted by a wide range of threat actors and unfortunately, there will be instances where the attackers are successful.
“When an incident is detected, time is critical to minimise the impact, so the rapid response and support from the government’s chosen incident response provider, BAE Systems AI in this instance, was essential and was right choice given the sensitive nature. It is always recommended that organisations have a cyber incident response capability either in house or on retainer to respond quickly and to minimise the impact of the incident.
“Information on this cyber attack and the actions taken by BAE Systems AI are limited and its very likely that we won’t see much from this.
“Over the years there have been multiple examples where the attackers will go to great lengths to achieve their desired objectives.
“Just look back to 2020, where an attacker managed to compromise SolarWinds and tamper with a patch that was then downloaded and installed on hundreds of devices which then allowed the attacker a back door into a wide range of industries including parts of the US Government.”