First state-sponsored cyberattack against UK government revealed two decades later

The UK National Cyber Security Centre (NCSC) has revealed details of the first cyberattack perpetrated against the UK government by another state. The rare insight marks the 20^th anniversary of a malware attack on a government department that was identified by GCHQ's Communications-Electronics Security Group (CESG) as state-sponsored cyber espionage. The response acted as the forerunner to a capability that became the NCSC, which was launched in 2016.

Today, state-sponsored cyber campaigns against other nations are common, particularly during periods of conflict and political unrest. The current Russia-Ukraine conflict is a prime example. Microsoft's latest nation-state cybersecurity intelligence report revealed a wave of cyberattacks from an actor it calls "Cadet Blizzard" associated with the Russian GRU. These attacks, which began in February 2023, target government agencies and IT service providers in Ukraine. It also revealed "Cadet Blizzard" as a new Russian state-sponsored threat actor that targeted Ukraine before the Russian invasion began, likely in an attempt to weaken infrastructure ahead of the assault.

GCHQ fused intelligence capabilities with cybersecurity function for the first time

In June 2003, cyber experts were called upon to investigate after a government employee detected suspicious activity on one of their workstations, the NCSC wrote in a blog. At the time, there was no government agency set up to deal with cyberattacks, nor was there a dedicated national incident management function. A suspected phishing email was identified, so technical specialists sought help from the CESG - the information assurance arm of GCHQ at that time.

"CESG's analysis discovered that malware, designed to steal sensitive data and evade anti-virus products, had been installed, raising suspicions about the attacker's intent and setting in motion a series of actions that was transformative to cyber incident investigations," the NCSC said. For the first time, GCHQ fused its signals intelligence capabilities with its cybersecurity function to investigate and identify the actor responsible.

The ground-breaking analysis, coupled with international engagement, led CESG to conclude the intent of the attack had been cyber espionage by a nation-state, setting in train a mission that today is at the heart of NCSC operations, namely understanding and responding to cyber threats to the UK.

Incident reflected a crossing of the threshold in the cyberattack arena

"Twenty years ago, we were just crossing the threshold of the cyberattack arena, and this incident marked the first time that GCHQ was involved in a response to an incident affecting the UK government," said Paul Chichester, director of operations at the NCSC. "It was also the first time that the UK and Europe started to understand the potential online risks we faced and our response transformed how we investigate and defend against such attacks."

The NCSC and its allies have come such a long way since this incident, and it is reassuring to be at the forefront of efforts to develop tools and techniques to defend against cyber threats and keep our respective nations safe online, he added.