Russia directing hackers to attack UK and west, says director of GCHQ

<span>The GCHQ director, Anne Keast-Butler, called the threat from ransomware ‘the most acute and pervasive cyber threat’. </span><span>Photograph: GCHQ/PA</span>
The GCHQ director, Anne Keast-Butler, called the threat from ransomware ‘the most acute and pervasive cyber threat’. Photograph: GCHQ/PA

Russia is increasingly seeking to encourage and direct hackers to attack British and other western targets, the director of GCHQ has said in her first keynote speech as head of the British intelligence agency.

Anne Keast-Butler said her agency was “increasingly concerned about growing links” between the Russian intelligence services and proxy hacker groups who have long taken advantage of a permissive environment within the country.

“Before, Russia simply created the right environments for these groups to operate but now they’re nurturing and inspiring these non state cyber actors,” she said in a speech to the Cyber UK conference, in what she described as a “globally pervasive” threat.

The spy chief, appointed last year to be the first woman to hold the role, referenced the threat from ransomware – “the most acute and pervasive cyber threat” – where cybercriminals, typically from Russia, take control of a company’s data and systems and demand significant sums to regain access.

GCHQ was “doing everything we can” to counter ransomware actors, Keast-Butler said, degrade their ability to attack systems across government and business and to “produce intelligence that means those involved in ransomware are held to account”. There is “no hiding place” for cybercriminals she added.

A week ago, Britain’s National Crime Agency announced it had unmasked Russian national Dmitry Khoroshev as the administrator of the LockBit ransomware group, whose hacking tools were used to carry out more than 7,000 attacks between June 2022 and February 2024 in the US, UK, France, Germany and China and elsewhere.

GCHQ’s public-facing internet security arm, the National Cyber Security Centre (NCSC), published a guide on Tuesday in conjunction with three insurance trade bodies to try to persuade businesses not to pay the ransoms that fund Russian and other hackers.

Paying ransoms to cybercriminals is not usually illegal, unless the hackers are designated a terror organisation.

Money, in the form of crypto currency, is often quietly paid by businesses, sometimes from their insurance, in the hope of resolving the attack more quickly.

Felicity Oswald, the interim CEO of the NCSC, speaking after Keast-Butler, said it was “a dangerous misconception that paying a ransom guarantees the end of an incident”.

Paying cyber-attackers amounted to “leaving a bag full of used banknotes in a dark alley,” she said.

The GCHQ chief also addressed China, though she did not directly refer to recent accusations that Beijing was behind an attack on an outsourced payroll system for 270,000 members of the armed forces run on behalf of the Ministry of Defence.

Keast-Butler said that China posed “a genuine and increasing cyber risk to the UK,” though not a threat, and that the activities of Chinese hackers meant the country “poses a significant risk to international norms and values”.

As with Russia, the GCHQ boss said the Beijing “has built an advanced set of cyber capabilities” and is “taking advantage of growing commercial ecosystem of hacking outfits” to try to enter systems and steal data. In March, ministers accused Chinese hackers of compromising the Electoral Commission, the UK elections watchdog, through a hack that took place in either 2021 or 2022.

Echoing comments made by the head of MI6 foreign intelligence service in 2021, Keast-Butler said “we now devote more resources to China than any other single mission” and described Beijing as posing longer term challenge, while Russia was considered an immediate threat.