top of page

Russian cyber operations spill into NATO countries

Russian cyber operations have spread beyond the borders of Ukraine as NATO countries see attacks on energy and space assets.

The National Security Agency (NSA) Director of Cyber, Rob Joyce, made a statement recently expressing his concerns that Russia cyber activity would begin to spill over the Ukrainian border and into allied countries. And his concern appears to have been justified.

On December 20, Unit42 at Palo Alto reported on the activity of Trident Ursa, an advanced persistent threat aligned to Russian interests.

Trident Ursa have been operating since 2013 and have developed to become a prominent access creator into target networks and intelligence gatherer. This week it has been reported that Trident attempted to compromise a large petroleum refining company in a NATO member country.

This move comes within the ongoing battle over Russian oil. Prior to the attack, the western embargo on Russian oil products had little impact on exports due to Asian buyers stepping in to take advantage of low prices.

However, the attempt on NATO oil supply appears to work towards maintaining longer term competitive advantage.

Researchers at the Cybersecurity and Infrastructure Security Agency (CISA) have also recently discovered intruders within a U.S satellite network, which has been initially attributed to Russian APT (Advanced Persistent Threat) Fancy Bear.

Fancy Bear (APT28) have been operating since 2008 and are considered to have strong links to Russian military intelligence.

While details about the satellite network compromise are being withheld, a CISA incident responder has shared insight that APT28 were in the satellite network for several months.

Russian activity against the UK has slowly been building momentum. In November, DDoS activity was claimed against several UK councils. The following week the Royal Family, British Army and other UK organisations suffered minor DDoS attacks.

Trident Ursa have been observed switching from using lures written in Ukrainian to lures written in English, indicating an intention to target countries other than Ukraine.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page