UK Markets open in 19 mins

Russia and Iran are stepping up cyber spying on politicians and activists, warns GCHQ

GCHQ - David Goddard/Getty Images
GCHQ - David Goddard/Getty Images

Russian and Iranian hacker gangs are stepping up an espionage campaign targeting British politicians, officials and activists, GCHQ has warned.

State-sponsored hackers from both nations have been targeting prominent Britons in an “espionage campaign” to steal sensitive information about British foreign policy, GCHQ’s the National Cyber Security Centre warned on Thursday.

Paul Chichester, the NCSC’s director of operations, said: “These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.”

The two groups of greatest concern have been named as APT42 and Seaborgium. Russian and Iranian hackers from both groups have targeted people working in the defence sector, staff at geopolitical think tanks, politicians, journalists and activists, NCSC said.

Alicia Kearns, chairman of Parliament’s Foreign Affairs committee, said: “Any evidence of state-backed cyber espionage targeting Britons and our institutions should be taken extremely seriously and be fully investigated.

“Shoring up our resilience against hostile inference is crucial if we are to defend our democracy and our values.”

NCSC officials said that both the Russian and Iranian groups have been engaging in “spear phishing”, the practice of sending personalised emails to people with viruses attached.

One such “spear phishing” email from a different campaign, seen by The Telegraph, was made to look like an accident investigation report issued by a Middle Eastern country’s aviation regulator. A file attached to the email contained a computer virus designed to detect and steal sensitive data.

Alicia Kearns - Heathcliff O'Malley/The Telegraph
Alicia Kearns - Heathcliff O'Malley/The Telegraph

The two hacking collectives named by the NCSC are well known in the cyber security research industry, which works alongside government counterparts to keep Britain safe online.

The Russian hacker group named, Seaborgium, has specifically targeted Britain in attempts to discredit prominent political figures, according to research published by Microsoft.

The group’s objectives “align closely with Russian state interests” and in at least one publicly-known instance from 2021 its personnel tried to discredit a political campaign.

“The operation involved documents allegedly stolen from a political organisation in the UK that were uploaded to a public PDF file-sharing site,” said Microsoft. The documents were later amplified on social media “via known Seaborgium accounts” and later made their way onto Russian-aligned fake news websites.

The cyber security industry has been tracking the activities of the Iranian and Russian gangs for several years. US-based Proofpoint said in December that the Iranian gang’s activities seemed to be supporting “covert and even kinetic operations by the Islamic Revolutionary Guard Corps” (IRGC), a branch of the Iranian military charged with upholding Iran’s hardline Islamic government.

Security experts from Mandiant, the cyber division of Google Cloud, previously described the Iranian hacker group as a “state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations… of strategic interest to the Iranian government”.

Using the industry’s codename for the gang – APT42 – Mandiant said in a September report: “APT42 primarily targets organisations and individuals deemed opponents or enemies of the [Iranian] regime, specifically gaining access to their personal accounts and mobile devices.”

Relations between the UK, Russia and Iran are at their lowest ebb for decades, following Russia’s invasion of Ukraine and widespread protests across Iran, which the country’s leadership have tried to blame on Western influence.

British officials were considering designating the IRGC as a terrorist organisation earlier this month, allowing overseas assets of the force’s 250,000 personnel to be seized. US and EU officials imposed some sanctions this week but stopped short of a “terrorism” designation.

NCSC officials warned that people working in defence or foreign policy research are particularly at risk from spear phishing attacks. Staff in these fields are being urged by the NCSC to install up-to-date antivirus software and avoid opening emails from strangers, or from familiar sources who are suddenly using new email addresses.

Mr Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.”