https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet

Cyber operations and the Russian intelligence services

Russia is one of the world’s most prolific cyber actors and dedicate significant resource into conducting cyber operations around the globe. The UK government has publicly attributed malign cyber activity to parts of three Russian Intelligence services: the FSB, SVR and GRU, with each having their own remits.

A table of the parts of the Russian Intelligence Services that the UK Government has publicly attributed is below.

RIS cyber organogram

The FSB cyber programme

The FSB (Federal Security Service; Russian: (Федеральная служба безопасности (ФСБ)) is Russia’s state security agency and the successor to the KGB. Since its formation in (1995 the FSB has conducted electronic surveillance of equipment.

FSB Centre 16

FSB Centre 16 (16-й Центр) is responsible for cyber operations including the intercepting, decrypting and processing of electronic messages, and the technical penetration of foreign targets. Its full title is the Centre for Radio-Electronic Intelligence by Means of Communication (TsRRSS; Russian: Центр радиоэлектронной разведки на средствах связи (ЦPPCC)) and is also known as “Military Unit 71330” (V/Ch 71330) (Bойсковая часть B/Ч 71330).

When the KGB was disbanded in 1991, the 16th Directorate of the KGB became FAPSI (Russian: ՓАПϹИ) or Federal Agency of Government Communications and Information (FAGCI) (Russian :Փедеральное Агентство Правительственной Ϲвязи и Информации), a Russian government agency, which was responsible for signals intelligence (SIGINT) and security of governmental communications.

In 2003, FAPSI was dissolved, and the 3rd Main Department of FAPSI (responsible for SIGINT) was transferred to the FSB forming the basis for FSB Centre 16.

The emblem of FSB Centre 16 hints at its activities in cyberspace: a satellite dish (signifying SIGINT activity) and a key, broken by lightning, (signifying the breaking of an encryption key) are both present.

Cyber operations conducted by FSB Centre 16

FSB Centre 16 has been observed conducting cyber operations since at least 2010. They conducted significant campaigns against the energy sector in 2014 and the aviation sector in 2020.

Cyber operations against worldwide critical national infrastructure

Centre 16 of the FSB have targeted/gained unauthorised access systems in countries around the world that are necessary for a country to function and upon which daily life depends. Known as Critical National Infrastructure or CNI, Centre 16 has targeted systems essential for energy, healthcare, finance, education and local/national governments. This has been a concerted campaign over many years and in a wide range of countries across Europe, the Americas and Asia.

NCSC and cyber security companies have warned network defenders on multiple occasions of the risks posed by this pattern of activity. While there has been speculation of FSB involvement, the UK government is confirming this activity was carried out by FSB Centre 16 and providing further details of specific examples of this activity to increase awareness and transparency around the threat.

Table 2: Cyber operations against CNI

DateActivityDescription of targetsFurther information
June to July 2013Compromised software package, turning the software into a Trojan, a legitimate appearing programme that contains malwareEuropean manufacturer of programmable logic controller devicesSymantec report: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments
April 2014Compromised softwareEuropean developer of wind turbines, bio gas and other energy infrastructureSymantec report: https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarvdocuments
April 2017Conducted malicious cyber activityUK companies associated with the energy sector 
October 2017Gained unauthorised access to and compromised multiple networks through malicious cyber activity including spear phishingEuropean and North American energy sectorSymantec report: Dragonfly: Western energy sector targeted by sophisticated attack group https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks. Symantec indicate that the actors may have “access to operational systems”
March 2018Conducted spear phishing, captured user credentials, gained unauthorised access to CNI and exfiltrated dataUS energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectorsUS Cybersecurity and Infrastructure security agency advisory https://www.cisa.gov/uscert/ncas/alerts/aa22-074a. [The advisory states that the activity detailed was performed by Russia government actors and points to the Symantec report detailed above (October 2017) that details malicious activity performed by the group called “Dragonfly”]
April 2018Compromising UK organisations with focus on engineering and industrial control companies. Attackers may be able to access contact lists of hacked companies and establish long term access to networksUK engineering and industrial control companiesNCSC advisory: https://www.ncsc.gov.uk/news/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
February 2020 to August 2020Sustained and substantial scanning and probing of networksAmerican aviation sectorThis reconnaissance could be used to gain access at a later date
September 2020 onwardsTargeted and exfiltrated dataAmerican aviation sector and other key US targetsCISA alert AA20-296A

Cyber operations against dissidents, political opponents and the Russian public

The UK government has identified FSB Centre 16 actors using cyber operations to monitor or attempt to gain unauthorised access to the computer systems of dissidents, political opponents and the Russian public.

Table 3: Cyber operations conducted by FSB Centre 16 against dissidents, prominent Kremlin critics and the Russian public

DateActivityFurther information
September 2017Gained unauthorised access to the email address of an associate of Aleksey NavalnyAleksey Navalny is a prominent critic of Putin and a strong advocate for democracy in Russia. In August 2020 Navalny was poisoned in Russia. Following treatment in Germany he returned to Russia and was arrested on arrival
October 2019 to January 2020Posing as the Russian Federal Tax Service, conducted spear phishing against multiple Russian nationalsMany of the targets are critics of the current administration
February 2020Attempted to Spear-phish the press secretary of Mikhail Khodorkovskiy1: Mikhail Khodorkovskiy is a prominent critic of the Russian administration and currently resides in the UK. 2: Mikhail Khodorkovskiy has said he believes himself to be at serious risk from harm at the hands of the Russian state. He currently resides in the UK. The press secretary would be expected to have access to Mikhail Khodorkovskiy’s diary and travel plans
May 2020Monitored the website “dossier.center”, a website set up by Mikhail Khodorkovskiy to expose corruption within the Russian government. This activity occurred shortly after the website released information about the FSBThis activity likely represents intelligence gathering against groups connected to Mikhail Khodorkovskiy


.