United Kingdom Threat Landscape

Home , Carbanak, Dridex, Lazarus Group, Lizard Squad, Operation AntiSec, Petya (malware)

Government: Parliamentary constitutional monarchy; a Commonwealth realm Capital: London Chief of State: Prime Minister Theresa May Natural Resources: Coal, petroleum, natural gas, iron ore, lead, zinc, gold, tin, limestone, salt, clay, chalk, gypsum, potash, silica sand, slate, arable land

Societal Grievances: Brexit, gay marriage, LGBT rights, forced deportation, racism, surveillance, gender workplace diversity, women’s rights, future of the NHS, US President Trump

APT Groups: APT3, Lazarus, APT10, APT17, Comment Crew, Axiom, Night Dragon, APT15, FIN4, APT28 Hacktivist Groups: Anonymous, Null Hacking Crew, Lizard Squad, Syrian Electronic Army, TurkHackTeam, AnonGhost, Lulzsec

Extremist Groups: New IRA1, ISIS, National Action (NS131/Scottish Dawn), Al-Qaeda Criminal Groups: Albanian Mafia, Tottenham Mandem, Rathkeale Rovers Malware Families: Ramnit, Dridex, Trickbot, Carbanak, Odinaff, WannaCry, Dyre

International Threat Landscape Libya and again operations over Iraq and Syria.”8 The UK’s decision to leave the European Union has caused The United Kingdom (UK) is a permanent member of the concern amongst foreign policy analysts that believe the 2 United Nations Security Council , a founding member UK’s global diplomatic influence will decline because the 3 of the North Atlantic Treaty Organization (NATO) , the UK will no longer vote on decisions impacting the EU9. Council of Europe, the Organization for Security and Co-operation in Europe (OSCE), the Organisation for The UK has contributed to the war against ISIS in Iraq Economic Co-operation and Development (OECD), and and Syria and is home to a number of individuals who the World Trade Organisation (WTO), among others. sought to join ISIS. Because of this, and because of The Commonwealth of Nations, which brings together the UK’s historic links to the current disposition of the 53-member states, is a legacy of the former territories Middle East, the UK is a target for international terror of the British Empire4. The UK is also part of the “Five groups. The close relationship between the United States 10 Power Defence Arrangement.”5 Despite declining and the UK also increases this risk . Regional power economic and military power, the UK still retains politics between NATO aligned states and their rivals, “considerable economic, cultural, military, scientific such as Russia, have the potential to incite attacks. and political influence internationally.”6 The UK’s lighter, Although direct conflict is unlikely, proxy conflicts smaller forces and ability to deploy quickly are one of its and attacks through domains such as cyberspace strategic military strengths7. Recent military operations are increasingly likely. The UK’s sophistication and have included “Afghanistan and Iraq, peacekeeping innovation in a number of critical sectors also serve as operations in the Balkans and Cyprus, intervention in targets for intellectual property theft. Political influence, international engagement (military and diplomatic),

1 http://www.independent.co.uk/news/uk/home-news/what-is-the-new-ira-why-has-the-terror-threat-been-raised-from-northern-ireland-to-the- uk-a7024276.html 2 http://www.un.org/en/sc/members/ 3 https://www.gov.uk/government/news/65-years-of-nato 4 http://thecommonwealth.org/member-countries 5 https://www.iiss.org/en/shangri-la%20voices/blogsections/2017-b8c0/developing-the-five-power-defence-arrangements-c523 6 https://ukdefencejournal.org.uk/study-finds-uk-is-second-most-powerful-country-in-the-world 7 https://www.theguardian.com/commentisfree/2018/jan/19/nuclear-weapons-uk-defence-review-russia 8 https://ukdefencejournal.org.uk/study-finds-uk-is-second-most-powerful-country-in-the-world/ 9 https://www.ft.com/content/2bea5eb8-d6c2-11e7-a303-9060cb1e5f44 10 http://www.oxfordresearchgroup.org.uk/sites/default/files/PR%20briefing%20February%202017_0.pdf

2 © 2018 Anomali, Inc. All rights reserved. and industrial and economic dynamism are all areas in a terrorist ‘attack is highly likely’12. The threat from which rival nation states will seek to pre-empt, gain a Northern Ireland has elevated in recent years due to the competitive edge, or undermine. emergence of the “New IRA”. There are also concerns about increases in knife crime and an embedded culture Domestic Threat landscape of violent gangs13. Terrorism, espionage, cyber-attacks and Dissident Republican groups are amongst those threats Cyber Threat Landscape Overview highlighted by the Centre for the Protection of National In February 2017, the UK was listed as the 38th most Infrastructure (CPNI) as threats to the UK11. The goal of attacked country via cyber means globally (up from 53rd the CPNI is to provide advice for the protection of UK in January 2017) ranking it higher than the US (90th), national infrastructure. The threat level to the United Germany (67th) and France (67th) according to Checkpoint Kingdom is currently at ‘severe’, which means that Software14. The UK had the fourth highest detection rate

Port Description Quantity Number 47808 BACnet 297 502 Modbus 331 102 Siemens 50 20000 DNP 6 1962 PLC 4 9600 Omron 47 789 Red Lion 41 2455 CoDeSys 28 1911, 4911 Tridium 1153 44818 EtherNet/IP 1319 18245, General 59 18246 Electric 5904 Hart-IP 0 5006, 5007 Mitsubishi 2 Electric 2404 IEC 649 20547 ProConOS 216

Table of Visible UK ICS Ports (Source: SHODAN)

UK ICS Ports Exposed – 15 Feb 2018 (Source: SHODAN)

11 https://www.cpni.gov.uk/national-security-threats 12 https://www.gov.uk/terrorism-national-emergency 13 http://www.telegraph.co.uk/news/2017/04/29/knife-crime-14-gang-warfare-becoming-embedded-culture/ 14 https://www.helpnetsecurity.com/2017/03/14/top-five-most-wanted-malware/

CNI Transport Emergency Services

Space Energy Health Finance Government Food of ransomware in 2016 according to Malwarebytes, and Summary of Findings the ninth highest for Android malware. Overall, the UK saw the second highest detection rates for all types of Many of the sectors in the UK CNI have a large number malware, almost twice as many detections as Russia15. of companies, including small to medium enterprises (SMEs), that support the success of the industry. This diversification is likely to lend strength to the resilience Industrial Controls Map of the UK against a specific targeting of those sectors. Visible open network communication ports in the UK for However, there are geographical “clusters” that possess protocols related to Industrial Controls Systems (ICS) are an abundance of key sites. The chemicals, civil nuclear, shown in the image and table below. ICS are used in a and energy sector are dependent on some of these wide number of critical national infrastructure sectors. physical clusters and/or physical infrastructure for continued operation. The Grangemouth, Hull, Teesside and Critical National Infrastructure Runcorn areas are examples of this. Despite diversification in some areas, there are some bodies like the Defence The following sections provide insight into the cyber do- Equipment and Supply organization that oversee main of the sectors deemed to be Critical National Infra- procurement for the whole of defence. The procurement 16 structure (CNI). CNI “are those facilities, systems, sites, process necessarily underlines future ambitions and information, people, networks, processes necessary for current weaknesses in military capability. EDF Energy 17 a country to function and upon which daily life depends.” owns all of the currently active nuclear reactors. The They include the following areas: Chemicals, Civil Nuclear, emergency services are going through a communications Communications, Defence, Emergency Services, Energy, upgrade in which the network will be replaced by EE and Finance, Food, Government, Health, Space, Transport and Motorola alongside the provision of hand-held devices Water. The functional well-being of the state is dependent made by Samsung. on the services in these areas, therefore an attack on any of the sectors will have a particularly high impact on the nation.

15 https://www.malwarebytes.com/pdf/white-papers/stateofmalware.pdf 16 The CNI sectors have been taken from the UK CPNI as a template for a general national profile. 17 https://www.cpni.gov.uk/critical-national-infrastructure-0

Lead Government Department: Department for Business, Energy and Industrial Strategy Represented by: Chemical Industries Association (CIA), Association of the British Pharmaceutical Industry (ABPI)

Locations of Industry: Hull, Teesside, Runcorn and Grangemouth (the four main “clusters”) Subsectors: Petrochemicals, basic inorganics, polymers and consumer chemicals, specialty chemicals

Top Trading Region: EU Important Trading Partners: USA, Singapore, Canada, China, Brazil Downstream Impact Pharmaceuticals, Aerospace and automotive Initiatives Industry 4.0 (automation and data exchange)

Summary of Industry Threats to Industry The UK chemicals sector includes the manufacture of The chemicals sector has experienced growth but is specialty chemicals, polymers, commodity chemicals, facing increasing competition from the United States and consumer chemicals. Ninety-seven percent of and China. Brexit and increased energy costs have the industry is made up of 2,500 Small and Medium invigorated efforts to become more energy efficient and Enterprise (SMEs), with large multinational companies competitive.19 making up the remaining 3% of the sector. The geographic locations of the industry are strategically Notable Cyber Attacks placed and connected by pipeline for key inputs such • Fin4 was found to be targeting biotech, scientists, as ethylene. “Interdependencies between upstream and healthcare and pharmaceuticals.20 downstream producers have encouraged clustering… and production plants are often co-located and physically • Health and Pharmaceuticals are among the top connected through pipelines.”18 According to the site sectors for higher data breach costs.21 Loss of ukchemistrygrowth.com, the following companies intellectual property due to molecular formulae, employ the largest number of employees whilst also records and production processes including drug generating more than £25 million in turnover: Almac, discovery programs are expensive consequences for BASF PLC, Croda International PLC, Fine Organics Ltd, the sector.22 Johnson Matthey, Tetrosyl Ltd, Thor.

18 https://www.parliament.uk/documents/commons-committees/Exiting-the-European-Union/17-19/Sectoral%20Analyses/7-Sectoral-Analyses- Chemicals-Report.pdf 19 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/651230/chemicals-decarbonisation-action-plan.pdf 20 https://www.the-scientist.com/?articles.view/articleNo/41566/title/Pharma-and-Biotech-Firms-Hacked/ 21 https://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach-Study.PDF 22 https://www.csoonline.com/article/3084655/security/cyber-threats-and-pharmaceuticals.html

Lead Government Department: Department for Business, Energy and Industrial Strategy Represented by: Nuclear Industry Association (NIA) Regulated by: Office for Nuclear Regulation Protected by: Civil Nuclear Constabulary (protects 14 civil nuclear sites) Reactors: Hartlepool, Heysham I, Heysham II, Hunterston B, Hinkley Point B, Dungeness B, Sizewell B, Torness (All owned by EDF Energy) Proposed New Sites: Hinkley Point, Oldbury, Sellafield, Sizewell and Wylfa Trade Unions: GMB, UNITES, Prospect, Trade Unionists for Safe Nuclear Energy (TUSNE) Waste Disposal Sites: Lillyhall, Sellafield, LLW Repository, Clifton Marsh, Kings Cliff Decommissioning Nuclear Decommissioning Authority

Summary of Industry in storage. There is still a great deal of waste yet to be The UK generates 21% of its electricity through 15 stored, which will be managed once existing facilities shut reactors. All of these reactors are owned by EDF Energy, down and are decommissioned.24 All of the High-Level a British subsidiary of a French government owned Waste (HLW) is currently at Sellafield.25 Sellafield is home electric company. Of the reactors currently in active use, to one of the largest inventories of untreated waste and almost half will be being decommissioned by 202523. currently holds more than 140 tonnes of civil plutonium. The construction of some next generation reactors will Spent fuel from overseas is also re-processed at this plant begin in 2019. Companies such as EDF Energy, Horizon, and arrives by freight train. This site is currently protected NuGeneration, China General Nuclear, GE Hitachi and by its own police force; the Civil Nuclear Constabulary, and Candu Energy all seek to invest in building the new plants. its own Fire service. The civil nuclear sector has been on alert for both terrorist and cyber-attacks. Threats to Industry The UK has withdrawn from Euratom, the European Notable Cyber Attacks Atomic Energy Community. The UK has substantial levels Senior engineers at Ireland’s Electricity Supply Board of radioactive waste deposits. Much of this is due to a (ESB) were targeted in June 2017 by actors believed to be number of past civil and defense programs and is already associated with Russia.26

23 http://www.world-nuclear.org/information-library/country-profiles/countries-t-z/united-kingdom.aspx 24 https://ukinventory.nda.gov.uk/wp-content/uploads/sites/18/2017/03/High-Level-Summary-UK-Radwaste-Inventory-2016.pdf 25 https://www.copeland.gov.uk/sites/default/files/attachments/CIS/pdf/180107_nwg8a.pdf 26 https://www.thetimes.co.uk/article/russia-backed-hackers-try-to-hijack-britain-s-power-supply-55bj9790r

Lead Government Department: Department for Culture, Media and Sport, Department for Business Energy and Industrial Strategy

Regulated by: Ofcom Subsectors: Phones, telecoms, Internet, TV, radio, postal service Companies: Alcatel-Lucent, BT, Huawei, MediaTek, Qualcomm, Siemens, Vodafone Group, CK Hutchison Holdings, Telefonica, Virgin, TalkTalk Largest Fixed Telecoms: BT, Sky, TalkTalk, Virgin Media Legislation: Communications Act 2003, Wireless Telegraphy Act 2006 Domain Name Registry Nominet UK Digital Broadcasting BSkyB, Freesat Initiatives ECHO2 overseas network tender (potentially replaces Vodafone as government telecommunications service provider)

Summary of Industry Access to MSP networks enables attackers to gain “The UK communications sector has about 8,000 access to the MSP’s clients. The UK was among those companies who employ over 270,000 people.”27 The countries impacted.30 telecoms market is likely to see huge growth in demand • Concerns that Huawei products could hide backdoors for connected products (IoT). This demand will flow from led to the creation of the “cell” or “Huawei Cyber other industries such as automotive, healthcare and Security Evaluation Centre” in Banbury, Oxfordshire. mining. 5G services are predicted to launch in the UK This was to bring together technicians and specialists to around 2020. The auctioning of spectrum airwaves took comb through and evaluate Huawei’s products for any place in 2017 and includes airwaves that can be used for malicious code.31 28 5G services (such as the 3.4GHz range). • Telefonica was infected by WannaCry ransomware in 2017, affecting computers on the internal network. Threats to Industry The company claimed that it did not affect clients or The communications industry is robust and accustomed to services.32 protecting their networks. However, this industry is both • Three Chinese nationals affiliated with “Guangzhou Bo critical to the UK and an enabler to groups attempting to Yu Information Technology Company” were charged coordinate attacks. Threats to continuity of service include: with hacking into Siemens, Trimble and Moody’s physical, loss of ‘key inputs’, logical/system failings, Analytics.33 software failures and electronic interference.29 • Virgin Media released a press statement saying that it Notable Cyber Attacks was a victim of cyber-attack and that some customers may face a lack of services for the duration of a • Managed IT Service Provider (MSP) infrastructure month.34 targeted by APT10 as reported by PWC UK and BAE. • Virgin Media asked 800,000 subscribers to update

27 https://www.gov.uk/government/publications/communications-industry-in-the-uk-investment-opportunities/communications-industry-in-the-uk- investment-opportunities 28 http://www.computerweekly.com/opinion/Telecoms-Opportunities-and-challenges-in-2017 29 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/62279/telecommunications-sector-intro.pdf 30 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf 31 https://www.theguardian.com/technology/2016/aug/07/china-huwaei-cell-uk-national-security-cyber-surveillance-hacking 32 https://www.reuters.com/article/us-spain-cyber/telefonica-other-spanish-firms-hit-in-ransomware-attack-idUSKBN1881TJ 33 https://www.porttechnology.org/news/siemens_trimble_moodys_all_breached_in_cyber_attack 34 https://www.cybersecurity-insiders.com/cyber-attack-to-blackout-virgin-media-internet-users-for-one-month/

7 © 2018 Anomali, Inc. All rights reserved. passwords as routers were found to be vulnerable.35 • was the victim of a cyber-attack that led to the details • Siemens updated software to deal with vulnerabilities of 157,000 customers being stolen. The stolen data 37 in its Position Emission Tomography (PET) scanners, included banking information. which could have been exploited remotely. • BSkyB was compromised by the Syrian Electronic • An attack on Vodafone resulted in the theft of private Army. Some Sky News Apps were compromised along 38 details for nearly 2,000 customers, including banking with the @SkyHelpTeam twitter account. information. Attackers used legitimate credentials; • Three Mobile was hacked in 2016 and 6 million email addresses and passwords.36 customer’s details were exposed. The hackers gained • TalkTalk was fined £400,000 for failing to adequately put access to the upgrade database which contained the 39 in place basic principles of cyber security. The company account details.

35 https://advanced-television.com/2017/06/26/virgin-warns-800000-on-modem-cyber-attack/ 36 https://engagecustomer.com/vodafone-customers-latest-to-be-hit-in-cyber-attack/ 37 http://www.telegraph.co.uk/technology/2016/10/05/talktalk-hit-with-record-fine-for-cyber-attack/ 38 https://www.computerworlduk.com/security/we-are-sharing-info-with-competitors-combat-cyber-threats-says-bskyb-3450790/ 39 https://thehackernews.com/2016/11/3-mobile-uk-hacked.html

Lead Government Department: Ministry of Defence (MoD) Overseas Defense Facilities: Ascension Island, Belize, Brunei, Canada, Diego Garcia, the Falkland Islands, Gibraltar, Kenya, Bahrain and Cyprus40

Royal Navy: Surface Fleet, Submarine Service, Fleet Air Arm, Royal Marines, Royal Fleet Auxiliary

Naval Bases: HMNB Clyde, HMNB Devonport, HMNB Portsmouth Royal Marines Bases: Bickleigh Barracks, RM Chivenor, RM Condor, RM Norton Manor, RM Stonehouse, RM Tamar Deployed Naval Units: HMS Bangor, HMS Blyth, HMS Ledbury, 814 Naval Air Squadron, HMS Monmouth, HMS Diamond, HMS Albion Headquarters Air Command: RAF High Wycombe Procurement Organization: Defence Equipment and Support organisation (DE&S) Defense Suppliers (£500+): Babcock Int, Finmeccanica SpA, BAE Systems PLC, Lockheed Martin, Thales SA, QinetiQ Group PLC, EADS NV, Hewlett Packard Company, Rolls-Royce Group PLC41

Summary of Industry • Chinese group “Comment Crew” were found to have conducted an operation to steal information from The UK Defence industry plays an important role in QinetiQ. The operation was believed to be directed by safeguarding the nation, delivering capabilities and the Chinese PLA Unit 61398. QinetiQ was compromised contributing to the economy. It provides and supports from 2007 to 2012.45 around 142,000 jobs and is one of the world’s largest defence exporters. • The UK’s new aircraft carrier HMS Queen Elizabeth was found to be running a specialized and locked-down Threats to Industry version of Windows XP alongside four UK nuclear 46 An MoD policy paper outlines some of the threats to the submarines. UK Defence sector. It claims foreign intelligence services • Fitness tracking app Strava exposed military bases. are more active than ever in collecting information on UK Fitbit data records jogging routes and highlights Defence.42 Job losses and budget cuts are risks to overall potential increases and decreases in troop numbers, UK Defensive capability. The MoD is pressing the Treasury patrol routes and classified sites.47 HMNB Clyde pointed for budget increases to keep up with adversaries such as this out in social media. Russia.43 • MoD website was hacked by Null Hacking Crew and data was dumped online, including 3,400 email Notable Cyber Attacks addresses and passwords.48 • APT28, a Russian cyber-espionage group, was found to • Hewlett-Packard Laptops were found to contain a deac- be targeting UK Defence Attaches.44

40 https://ukdefencejournal.org.uk/study-finds-uk-is-second-most-powerful-country-in-the-world/ 41 http://www.armedforces.co.uk/mod/listings/l0016.html 42 https://www.forces.net/news/mod-document-reveals-threats-uk-security 43 https://www.theguardian.com/politics/2018/jan/22/uk-faces-cyber-warfare-threat-on-battlefield-and-against-civilian-services 44 https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf 45 http://securityaffairs.co/wordpress/14138/hacking/qinetiq-breached-chinese-cyber-espionage.html 46 https://www.theguardian.com/technology/2017/jun/27/hms-queen-elizabeth-royal-navy-vulnerable-cyber-attack 47 https://www.bleepingcomputer.com/news/technology/fitness-tracking-app-accidentally-exposed-military-bases/ 48 https://thehackernews.com/2012/11/uk-ministry-of-defence-hacked-by.html

9 © 2018 Anomali, Inc. All rights reserved. tivated keylogger. The code is called a “debug trace”.49 assets that are being purchased by the UK Military. • A defence contractor in Australia was hacked, leading • EADS and ThyssenKrupp were hacked in 2012. The to the theft of 30 gigabytes of data. The theft included attacks were later attributed to China. ThyssenKrupp data on Lockheed Martin’s F-35 stealth fighter and was then targeted again in 2016. The attackers were 50 Boeing’s P-8 maritime surveillance aircraft. Both are able to exfiltrate data before being stopped.51

49 https://mashable.com/2017/12/11/keylogger-found-on-hundreds-of-hp-computer-models/#hykRbJgzxsqb 50 https://www.investors.com/news/who-is-behind-the-lockheed-f-35-boeing-p-8-hack/ 51 https://www.forbes.com/sites/leemathews/2016/12/08/thyssenkrupp-attackers-stole-trade-secrets-in-massive-hack/#105e956162dc

Lead Government Department: Department of Health, Department for Transport, Home Office Includes: Police, Ambulance, Fire and Rescue, and Maritime and HM Coastguard Police Forces: 43 territorial forces, National Crime Agency (NCA), Ministry of Defence Police, Civil Nuclear Constabulary, British Transport Police, Port police

Executive Powers: Border Force, Immigration Enforcement, HMRC, DVSA, Police Complaints Commission

Investigatory Powers: Office for Security and Counter-Terrorism, Security Service, Serious Fraud Office Emergency Calls: 999. All four emergency services maintain and operate Emergency Control Centres (EEC). Calls are first filtered by BT Operators. Technology: The future Emergency Service Network (ESN) will be supplied through EE and replace the existing Airwave system supplied by Motorola52. Front line services will be equipped with Samsung Galaxy S8 devices. Legislation: The Policing and Crime Act (2017), The Civil Contingencies Act (2004), Health and Social Care Act (2012), RIPA (2000) Suppliers: Babcock, Bluelight UK, CDS, Cleric, Deenside, Motorola, EE, Samsung, Deltafire, Rosenbauer

Summary of Industry Samsung devices used in the field. The prevalence of Android malware poses a particular risk. The emergency services sector includes services such as the Police, Ambulance, Fire and Rescue, Maritime and HM Notable Cyber Attacks Coastguard. • The WannaCry attack in 2017 infected the NHS, along Threats to Industry with many other victims across the world. A security researcher named Marcus Hutchins prevented further “Compliance with civil protection legislation, the infections by registering a domain that operated as a interconnected nature of its networks, well tested mutual kill-switch for the malware. The ransomware attack aid agreements and the geographic spread of services impacted 47 trusts in England and 13 Scottish health across the UK affords the emergency services sector a boards.55 considerable degree of resilience to disruption from major risks.”53 • UK Police website defaced by TurkHackTeam.56 The upcoming deployment of the Emergency Services • Motorola Focus 73 outdoor security camera Network (ESN) will utilise the EE mobile network for successfully hacked by security researchers.57 communication and will feature Samsung Galaxy S8 • EE Brightbox routers leaked information. This included smartphones for use by emergency personnel.54 This the WPA keys, md5 hash of the device admin password system will offer several improvements over the previous and ISP user credentials.58 technology used in the current Airwave system, but will present new cyber security challenges. Foremost among • NHS trusts still fail tests to meet cyber security these challenges will be protecting the Android-based standards in 2018. NHS Digital has signed a deal with

52 https://www.gov.uk/government/publications/the-emergency-services-mobile-communications-programme/emergency-services-network 53 https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/568546/sector_security_resilience_plans_14_11_2016.pdf 54 http://www.telegraph.co.uk/business/2017/11/23/police-get-samsung-smartphones-210m-deal-connect-emergency-services/ 55 http://www.telegraph.co.uk/news/2017/05/16/no-hero-saysit-expert-marcus-hutchins-saved-world-ransomware/ 56 https://thehackpost.com/uk-police-website-hacked.html 57 http://www.landmobile.co.uk/news/motorola-camera-hacked-by-researchers-at-context-information-security 58 https://scotthelme.co.uk/ee-brightbox-router-hacked/

11 © 2018 Anomali, Inc. All rights reserved. Microsoft which will see the technology giant provide during Operation Vivarium.63 greater protection from cyber-attacks through its • Two South Yorkshire police websites were defaced by 59 Enterprise Threat Detection Service to the NHS. Albanian hackers.64 • Welsh NHS doctors were unable to access patient • Shares in G4S temporarily dropped 2.1 pence after a details, including blood tests and x-rays, because of a fake website was set up stating that the CFO had been 60 failure in two data centres. fired and the company was in debt by £386 million.65 • The NHS, alongside central and local government • In response to the detention of perceived innocent websites, was impacted by a cryptocurrency mining people on terrorism charges, TeaMpOison attacked infection. The attackers took advantage of a plug-in Scotland Yard’s anti-terror hotline and leaked called “Browsealoud” that is designed to help users with conversations between officials on the Internet.66 visual impairments.61 • Metropolitan UK Police hacked for #Antisec by CSL. • Denial of service attacks were conducted against the Security. An SQL injection Vulnerability was exposed.67 62 National Crime Agency by Lizard Squad. The attacks • Anonymous defaced the UK Police Online web forum against the NCA were in revenge for the arrests made under #OperationJubilee.68

59 http://home.bt.com/tech-gadgets/tech-news/nhs-digital-deal-microsoft-cyber-attacks-cybersecurity-11364245759362 60 https://www.computing.co.uk/ctg/news/3025244/welsh-nhs-systems-failure-down-to-technical-glitch-not-cyber-attack 61 https://www.chroniclelive.co.uk/news/north-east-news/newcastle-city-councils-website-caught-14279308 62 http://metro.co.uk/2015/09/01/the-national-crime-agency-website-has-been-hacked-5370121/ 63 http://www.wired.co.uk/article/nca-website-hacked 64 https://www.hackread.com/south-yorkshire-uk-police-websites-hacked/ 65 https://www.scmagazineuk.com/g4s-shares-sent-tumbling-by-fake-website-that-cost-12-to-build/article/540862/ 66 http://www.telegraph.co.uk/news/9200184/Police-anti-terror-hotline-hacked-and-conversations-leaked-online.html 67 http://www.ehackingnews.com/2011/08/metropolitan-uk-police-hacked-for.html 68 https://thehackernews.com/2012/10/anonymous-deface-uk-police-forum-and.html

Lead Government Department: Department for Business, Energy and Industrial Strategy Represented by: Oil and Pipelines Agency Regulated by: Ofgem Subsectors: Upstream and Downstream oil and gas, electricity Pipelines: CLH-PS, Esso pipelines, UKOP, Forties, Fina-line, Petroineos, West London Pipeline, CATS Companies: CLH Group, Ineos, Total, Wingas, BPA, CATS, E.ON, Conoco Philips, Essar, Esso, EP Langage Limited, National Grid, Petrolneos, SABIC, Uniper, Wingas, BP Refineries: PetroIneos Grangemouth, Essar Stanlow, Total Lindsey, Phillips 66 Humber, ExxonMobil Fawley, Valero Pembroke69 Naval Oil Fuel Depots (OFDs): OFD Loch Ewe, OFD Garelochhead, OFD Loch Striven, OFD Campbeltown, Plumley and Cape of Good Hope, OFD Thanckes, OFD Gosport

Summary of Industry There are six Naval Oil Fuel Depots (OFDs) that receive, The UK’s energy industry supplies more than 26 million store and issue middle distillate fuels to support Navy homes and businesses. The industry contributes £83 Command. All sites are supplied by sea. The UK has a billion to the economy. Energy suppliers have grown network of pipelines crisscrossing the country. Individual in number, providing increased competition across the oil companies own some terminals for their own supply, industry. Since the UK’s electricity market was privatised others are part of joint ventures. The six main refineries in the late 1980s, the private sector has been responsible have storage, however there are large storage terminals for financing and building the infrastructure to generate around the country which are supplied by pipeline, rail and transport electricity. The energy sector is going and sea73. The CLH-PS Pipeline system (formerly GPSS through a significant amount of change. Large thermal network) represents 50% of the British pipeline network. plants are being decommissioned and new nuclear, CLH-PS also distributes 35% of aviation fuel and serves next generation technology is being introduced70. Most civil airports such as Heathrow and Gatwick as well as electricity is generated at large power stations which military airfields. Ethylene is the basic building block of connect to the national transmission network. The the petrochemical industry and is produced by SABIC at transmission networks carry electricity for long distances Teeside.74 around the country at high voltages. Distribution networks then take electricity from the transmission system into Threats to Industry homes and businesses at lower voltages.71 The UK’s impending departure from the EU has caused Oil and Gas provide more than 75% of total primary a great deal of uncertainty within the energy industry. energy and will still provide two-thirds of total primary by Supplying 12% of UK gas and 5% of UK electricity, the EU 2035, according to the Department for Business, Energy is a critical trading partner.75 Some of the key pipelines & Industrial Strategy. The UK Continental Shelf provides have considerable impact on supply to large parts 72 more than half of the UK’s oil and gas demand. of the UK.

69 http://www.ukpia.com/docs/default-source/default-document-library/uk-map-of-refineries-and-key-distribution-terminals8ad55c889f1367d7a07bff000 0a71495.pdf?sfvrsn=0 70 https://www.energy-uk.org.uk/publication.html?task=file.download&id=5883 71 https://www.energy-uk.org.uk/energy-industry/the-energy-market.html 72 https://oilandgasuk.co.uk/key-facts/energy-provider/ 73 http://www.ukpia.com/industry_information/distribution.aspx 74 http://www.linewatch.org.uk/links 75 https://publications.parliament.uk/pa/ld201719/ldselect/ldeucom/63/63.pdf

13 © 2018 Anomali, Inc. All rights reserved. Notable Cyber Attacks • E.ON software website was the victim of a cyber- • A Total subdomain was defaced by a member of attack in November of 2017. Attackers are believed to AnonGhost in #OpPetrol in 2014. have had access to servers from as far back as 2013. • Exxon Mobil, Royal Dutch Shell and BP were among Although financial information was encrypted, the those targeted by Chinese hackers in a campaign called attackers would have been able to access sensitive “Night Dragon”. In some cases, the actors had access to personal information. The company released a company networks for more than a year.79 statement noting they will need to rebuild their • An actor called @Le4ky targeted Exxon Mobil in e-commerce site and the Cornucopia3d website.76 #OpSaveTheArctic, hacking and dumping data from the • Irish energy networks were targeted with phishing company including emails and encrypted passwords.80 emails believed to have originated from Russia’s GRU • WikiLeaks published correspondence between Turkey’s 77 intelligence agency. energy leaders that revealed Exxon’s Kurdistan 81 • Two former employees of Essar refinery were accused activity . of data theft in 2015.78

76 https://info.e-onsoftware.com/eonstatement 77 http://securityaffairs.co/wordpress/61079/apt/russian-nation-state-actors-ireland.html 78 https://www.databreaches.net/in-two-former-employees-of-essar-refinery-accused-of-data-theft/ 79 http://www.computerweekly.com/news/1280095257/Exxon-Shell-BP-hacked-in-Night-Dragon-attacks 80 https://www.cyberwarnews.info/2012/06/27/oil-giant-exxon-mobil-hacked-data-leaked-by-le4ky/ 81 https://www.iraqoilreport.com/news/hacked-emails-reveal-details-exxons-kurdistan-activity-20696/

Lead Government Department: HM Treasury Central Bank: Bank of England Trading Market: Financial Times Stock Exchange (FTSE) “Big Six” Banks: HSBC, Barclays, RBS, Lloyds, Standard Chartered, Santander Regulatory Bodies: Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) Cyber Collaboration: NCSC, CDA, G7 Cyber Expert Group, Cross Market Operational Resilience Group (CMORG), FCA Cyber coordination groups

Summary of Industry against UK cash machines. Malware was used to infect The UK financial sector encompasses retail banking, cash machines, which enabled the men to withdraw investment, lending, insurance and wholesale financial hundreds of thousands of pounds.88 markets. The “big six” banks account for 87 of personal • Wonga data breach. 270,000 customers had their current accounts, 85% of business current accounts 82and personal data stolen.89 77% of all outstanding mortgages.83 In 2016, financial and • Tesco bank lost £2.5m after an attack on its online insurance services contributed £124.2 billion to the UK. accounts in November 2016.90 In 2015, London accounted for around half of the entire financial and insurance sector.84 London still accounts for a • Customers of Standard Chartered Pakistan had their significant portion of the industry’s contribution today money taken from ATMs in the UK. The incident is believed to be related to ATM skimming attempts.91 Threats to Industry • Carbanak and Odinaff were found to be targeting SWIFT The consequences of an impending Brexit have caused in UK banks and financial institutions worldwide.92 a great deal of uncertainty. Financial crisis has been a concern, prompting the government and Bank of England • RBS and NatWest suffered from a loss of services for to conduct stress tests to ensure that, if a bank fails, the customers as both banks were targeted with denial of broader economy will remain resilient.85 service attacks.93 Notable Cyber Attacks • Barclays Bank suffered from £1.3m loss after attackers used KVM to remotely hack and steal funds. An • Lazarus APT group targeted a London cryptocurrency attempted theft at Santander was also discovered. company.86 Eight individuals were arrested. The gang used a central • Lloyds, Bank of Scotland and Halifax, all holdings of London property as a control centre.94 Lloyds Banking Group, suffered 48 hours of disruption from a denial of service attack in January 2017.87 • RBS suffered from a denial of service attack in 2013, leading to a loss of availability for customers twice in • Two members of an Eastern European crime gang one week.95 were sentenced in 2017 for their roles in a cyber-attack

82 https://www.fca.org.uk/publication/research/ri_sector_overview_final_jan17.pdf 83 https://www.fca.org.uk/publication/research/retail-lending-sector-overview.pdf 84 http://researchbriefings.files.parliament.uk/documents/SN06193/SN06193.pdf 85 http://obr.uk/box/the-governments-regulatory-response-to-the-financial-crisis/ 86 http://securityaffairs.co/wordpress/66780/apt/lazarus-apt-cryptocurrency.html 87 https://www.theguardian.com/business/2017/jan/23/lloyds-bank-accounts-targeted-cybercrime-attack 88 http://bit.ly/2ogAHws 89 https://www.theguardian.com/business/2017/apr/09/wonga-data-breach-could-affect-250000-uk-customers 90 https://www.theguardian.com/business/2016/nov/08/tesco-bank-cyber-thieves-25m 91 https://www.hackread.com/standard-chartered-bank-hacked-money-stole-via-atms/ 92 https://www.theregister.co.uk/2016/10/11/swift_bank_hacking_reloaded/ 93 https://www.theguardian.com/business/2015/jul/31/rbs-and-natwest-customers-complain-of-online-problems 94 https://www.theguardian.com/business/2013/sep/20/remote-barclays-theft-eight-arrested 95 https://www.theguardian.com/business/2013/dec/06/rbs-natwest-website-cyber-attack

Lead Government Department: Department for Environment, Food and Rural Affairs Regulated by: Food Standards Agency Government Enforcement: National Food Crime Unit Subsectors: Food processing, food and beverage manufacturing Imports From: South America, EU, South-East Asia Top Export Countries: Ireland, USA, France, Netherlands, Germany, Spain Major EU Companies: Diageo Plc, Nestle SA, Unilever, Associated British Foods, Danone, Heineken Top UK Private Companies: Brakes Group, 2 Sisters Food Group, Iceland, SSP, Bakkavor, Iglo Group, AF Blakemore and Son, Findus Group, United Biscuits, William Grant and Sons, Samworth Brothers, Dunbia Union: National Farmers Union

Summary of Industry global price changes. Climate change is a future concern.98 Brexit is a concern for the industry as businesses are “The UK’s food and drink sector is the single largest worried that losing access to the EU’s single market and manufacturing sector in the UK, with a turnover of around labour could cut off growth.99 £100bn. Whisky is its single biggest export. The sector is valued at £21.5 billion, with more than 6,300 food and Notable Cyber Attacks drink businesses operating in the UK.96 More than half of UK food and feed is imported from abroad.97 • A Cadbury factory was infected with Petya ransomware in 2017.100 Threats to Industry • UK supply of Royal Canin was impacted by a cyber- Domestic and international factors impact food production attack.101 in the UK’s agricultural industry. Examples include • Irish retail giant Musgrave Group was hit with malware environmental and economic events, exotic diseases and that attempted to steal debit and credit card numbers.102

96 https://www.lseg.com/resources/1000-companies-inspire-britain/food-drink 97 https://www.theguardian.com/environment/2016/jan/06/more-than-half-of-uks-food-sourced-from-abroad-study-finds 98 https://www.foodsecurity.ac.uk/challenge/uk-threat/ 99 https://www.bloomberg.com/news/articles/2017-12-12/u-k-food-and-drink-sector-calls-for-post-brexit-assurances 100 https://www.foodmanufacture.co.uk/Article/2017/06/30/Food-manufacturers-hit-by-new-cyber-attack 101 http://metro.co.uk/2017/08/24/cat-food-shortage-after-cyber-attack-hits-one-of-uks-biggest-suppliers-6875065/ 102 https://www.independent.ie/irish-news/warning-to-firms-after-cyber-attack-on-food-giant-36219610.html

Lead Government Department: Cabinet Office Location: 10 Downing Street, London Composition: Parliamentary democracy with a constitutional monarch Executive: Cabinet, President, Deputy President, Ministers, Provincial executive councils Legislative: Parliament, House of Commons, House of Lords Judicial: Supreme Court Head of State: Queen Elizabeth II Prime Minister: Rt Hon Theresa May (Conservative Party) Geography: England, Scotland, Wales, Northern Ireland

Summary of Industry Notable Cyber Attacks The UK government is a parliamentary democracy and • A number of UK .gov websites have been affected by is voted into power by the public through a “first past the Browsealoud hack. The plugin had been altered to the post” (326 seats or more) system. The UK is also a inject Coinhives Monero miner, mining crypto-coins on constitutional monarchy, although the Queen has limited victims’ browsers.103 powers today. The Prime Minister is ultimately responsible • APT3 targeted governments and corporations across a for all policy and decisions and oversees the operation of number of countries, including the UK.104 the Civil Service and government agencies. • APT28 was believed to have attempted to disrupt the Threats to Industry UK general election but prevented by GCHQ.105 The UK government faces cyber threats ranging from • Iran was accused of carrying out a brute force attack everyday malware to DDoS to advanced, nation-state on parliament. Around 9,000 email accounts were tar- sponsored actors. International relations, foreign and geted, with ninety accounts eventually compromised106. domestic policies, and involvement in armed conflicts can • Anonymous targeted government websites with denial draw attention from state-sponsored actors, hacktivists, of service attacks. The group’s motives were in protest or other groups opposed to those actions or policies. over “draconian surveillance proposals” and “derogation Government infrastructure also presents an opportunistic of civil rights”.107 target for cyber criminal activity aimed at visitors to government websites as opposed to the government • Credentials belonging to parliament ministers and staff systems themselves. were among those in a list of data being traded on a Russian website in 2017.108

103 https://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/ 104 http://securityaffairs.co/wordpress/59292/apt/apt-linked-china-gov.html 105 http://www.independent.co.uk/news/uk/home-news/russian-hackers-tried-to-disrupt-uk-general-election-security-sources-say-a7329406.html 106 https://www.thetimes.co.uk/article/iran-attacks-9-000-email-accounts-in-parliament-w5mr836cg 107 http://www.zdnet.com/article/anonymous-hacks-uk-government-sites-over-draconian-surveillance/ 108 https://www.rt.com/uk/393749-russian-hacking-tory-passwords/

Lead Government Department of Health & Social Care (DHSC) Department: Executive Agencies: Public Health England, Medicines & Healthcare products Regulatory Agency Primary Healthcare Org: National Health Service (NHS) Independent Healthcare: Bupa, BMI Healthcare, Care UK, Ramsay Health Care UK, Spire Healthcare Voluntary Healthcare: British Red Cross, Nuffield Health, Save the Children, Sue Ryder Initiatives: Partnership with DeepMind, London-based Google artificial intelligence arm Technology: Namola App

Summary of Industry health service through its Enterprise Threat Detection The healthcare system in the UK is nationalised and Service.111 accessible to the UK public. There are also several • Barts Health Trust was targeted with malware that private healthcare companies. England, Northern Ireland, interfered with five hospitals.112 Scotland and Wales each have their own publicly funded • A British man was sentenced for targeting Norwich system. Hospital with SQL injection attacks.113 Threats to Industry • Google DeepMind NHS app broke UK privacy laws.114 Challenges to the industry include vulnerabilities in • Lulzsec hacked into HPTH UK, a voluntary patient healthcare equipment, exposure to DDoS attacks, and the support organisation for a rare medical condition. threat of ransomware infections. The NHS collaboration Personal information was subsequently dumped with DeepMind involves patient data being shared in online.115 order to “deliver early warning signs” of diseases such • Welsh NHS doctors were unable to access patient as kidney failure. However, the collaboration has come details, including blood tests and x-rays, because of a 109 under scrutiny for its data sharing. These kinds of failure in two data centres.116 concerns over privacy are an ever-present challenge to collaborations involving healthcare data. Cyber attacks • The NHS, alongside central and local government involving the theft of patient data highlight this challenge. websites, was impacted by a cryptocurrency mining infection. The attackers took advantage of a plug-in Notable Cyber Attacks called “Browsealoud” which helps users with visual 117 • The NHS was among those infected by the WannaCry impairments. attack in 2017. The ransomware attack impacted 47 • “Healthcare suffered more breaches than any other trusts in England and 13 Scottish health boards.110 sector in the UK in the final quarter of 2015, with • NHS trusts are still failing tests to meet cyber security half of all data breaches reported to the Information standards in 2018. NHS Digital has signed a deal Commissioner’s Office (ICO) coming from private or 118 with Microsoft which will see the technology giant public health organisations”. provide greater protection from cyber-attacks to the

109 http://www.bbc.co.uk/news/technology-40483202 110 http://www.telegraph.co.uk/news/2017/05/16/no-hero-saysit-expert-marcus-hutchins-saved-world-ransomware/ 111 http://home.bt.com/tech-gadgets/tech-news/nhs-digital-deal-microsoft-cyber-attacks-cybersecurity-11364245759362 112 https://www.policybee.co.uk/blog/13456/uk-biggest-cybersecurity-and-data-breaches-in-2017/ 113 https://www.bleepingcomputer.com/news/security/hacker-his-royal-gingerness-jailed-for-cyber-attack-on-uk-hospital-airport/ 114 http://www.bbc.co.uk/news/technology-40483202 115 https://www.databreaches.net/uk-support-organization-hacked-data-leaked/ 116 https://www.computing.co.uk/ctg/news/3025244/welsh-nhs-systems-failure-down-to-technical-glitch-not-cyber-attack 117 https://www.chroniclelive.co.uk/news/north-east-news/newcastle-city-councils-website-caught-14279308 118 https://www.buildingbetterhealthcare.co.uk/news/article_page/Five_cyber_security_issues_facing_the_UK_healthcare_industry/120574

Lead Government Department: Department for Business, Energy and Industrial Strategy Space Agency: UK Space Agency, European Space Agency (ESA) Manufacturing: Airbus Defence & Space, Inmarsat, SSTL, Reaction Engines, Qinetiq, CGI, OHB Satellites in Orbit: Galileo constellation, Skynet Defense and Aerospace: Airbus Defence & Space (Skynet), DSTL Initiatives: Spaceport, SABRE, Skylon Legislation: Space Industry Bill 2017–2019

Summary of Industry Threats to Industry The UK Space industry contributes £9bn to the UK Brexit has been cited as a concern for the space industry, economy, supporting 25,000 jobs directly and 50,000 jobs in particular the efforts around the EU-based Galileo indirectly. Historically, the UK’s space industry efforts global navigation system119. Many other industries are have been thwarted by lack of funding. In the 1960s, the reliant on the data that streams from satellite networks: UK made a decision to focus on pan-European efforts. weather forecasting, maritime and aviation all rely on the The United States later helped to launch the first UK availability and accuracy of satellite-delivered information satellite, Ariel 1, into space from Florida. Prospero was to guide them. The signals to and from satellites are the first British satellite launched into space using British vulnerable to extreme space weather, spoofing and technology, the Black Arrow launcher. In the 1970s, the interference, and even kinetic or laser attacks.120 European Space Agency was created. The UK focused on encouraging collaboration and supplying technology and Notable Cyber Attacks expertise. In the 1980s, the UK government created the • In 2017, the AmosConnect 8.0 platform produced by British National Space Centre (BNSC), but after two years Stratos Global (subsidiary of Inmarsat) was found investment dropped. British space scientists continued to have security flaws by researchers at IOActive. to collaborate with the European Space Agency (ESA) Researchers were able to inject code to gain access to instead. Inmarsat contracted Airbus Defence and Space other user’s credentials.121 (formerly British Aerospace) to design and build the Eurostar satellite. Since then, more than fifty Eurostar • European Airbus Defence and Space (EADS), a satellites have been launched into space to provide manufacturer of drones, surveillance satellites and secure communications. In the early 2000s, the ESA rockets, was hacked alongside ThyssenKrupp. The commissioned Surrey Satellite Technology Ltd to build a attack occurred in the US and is believed to have 122 prototype satellite called GIOVE-A. The satellite would originated from China. serve as the basis for a network of satellites called Galileo, • Security researcher Chris Roberts claimed to have been a new European global navigation system. The UK Space able to hack into Airbus flight systems via the inflight Agency (UKSA) was created in 2010. The SABRE project entertainment system. He claims to have made the is being developed by Reaction Engines, a UK-based engines go into climb mode and briefly fly sideways.123 corporation, as a propulsion solution to eventually power a spaceplane. • Anonymous claimed attacks against the European Space Agency, dumping data online after targeting a number of subdomains with SQL injection. 124

119 http://gpsworld.com/system-of-systems-brexit-may-oust-uk-from-galileo-work/ 120 https://www.marinelink.com/news/navigation-satellite391876 121 http://www.ibtimes.com/amosconnect-8-hack-popular-maritime-communication-platform-could-be-hacked-2606768 122 https://nakedsecurity.sophos.com/2013/02/25/china-eads-thyssenkrupp-hack/ 123 http://www.independent.co.uk/news/world/americas/computer-expert-hacks-into-plane-and-makes-it-fly-sideways-according-to-fbi-10256145.html 124 https://www.computerworld.com/article/3014539/cybercrime-hacking/attackers-hack-european-space-agency-leak-thousands-of-credentials-for- the-lulz.html

19 © 2018 Anomali, Inc. All rights reserved. • The military satellite network Skynet claimed to have security company FireEye reported the infrastructure been hacked or interfered with by hackers but denied by involved in the attack overlapped with Chinese nation- the MoD.125 state threat actor Axiom. CCleaner is used by many organisations, including Airbus. • CCleaner, a popular utility for Microsoft Windows, was found to have contained a backdoor. Information

125 http://www.dailywireless.org/2007/05/08/skynet-satellite-hacked/

Represented by: Department for Transport Subsectors: Road, Aviation, Rail, Maritime, Logistics Primary Focus: Transport infrastructure Commercial Companies: Easyjet, RyanAir, Virgin Atlantic, International Airlines Group, P&O ferries, Peel Ports Group, Gist, HOYER, Network Rail, National Express, Addison Lee, Transport for London, Stagecoach Group, DHL, Royal Mail, FedEx, Hermes, Uber

Public Entities: Civil Aviation Authority, Airports Commission, High Speed Two, HS2 Growth Taskforce, Highways England, DVLA, Transport for London Busiest Airports: Heathrow Airport, Gatwick Airport, Manchester Airport, London-Stansted, London- Luton, Edinburgh, Birmingham, Glasgow, Bristol, Belfast-International Initiatives: SESAR

Summary of Industry “near misses” involving drones. The industry is also facing The transport industry encompasses all those businesses a huge amount of change, including digital transformation that move people or goods, by land, sea or air. All and shifting customer expectations.129 other industries rely on one or more elements of the transportation industry in some way. This industry has Notable Cyber Attacks the largest attack surface due to its scope and scale but is • IBritish shipping company Clarksons was hacked in late also very resilient. 2017. The company admitted to the breach, claiming it was done through a single user account. The attacker Threats to Industry threatened to release some of the stolen data if The transportation industry has been the target of Clarksons did not pay a ransom.130 conventional terrorism on multiple occasions: 2007 • Norwich airport was the subject of an SQL injection 126 127 Glasgow Airport attack, 2005 London bombings attack using an automated tool called SQLMap. The 128 and the 2017 London Tube attack are examples. attacker claims this was achieved through the airports Accessibility, large numbers of passengers, and public emergency communication system.131 reliance on these services lends to their being common targets for terrorism. Future terrorism concerns in the • On 27 May 2017, British Airways canceled all flights transportation sector may include cyber elements as the from Gatwick and Heathrow due to a reported power sector continues to modernize. supply problem affecting its IT systems. The systems were mostly back up and running the next day.132 The expanded use of technology into this industry is also producing challenges in the cyber realm. London City • Heathrow’s airport security details were found on Airport will become the first UK airport to install a digital a memory stick in London in 2017. The information air traffic control tower, with planes controlled from 80 included routes for foreign dignitaries, the Queen and 133 miles away. The introduction of Amazon’s service “Prime politicians, CCTV and escape routes. Air” and civilian ownership of drones are creating their • The UK rail network was infiltrated four times over the own challenges. Airports have experienced a number of

126 http://news.bbc.co.uk/2/hi/uk_news/7772925.stm 127 http://news.bbc.co.uk/2/shared/spl/hi/uk/05/london_blasts/what_happened/html/russell_sq.stm 128 http://www.dailymail.co.uk/wires/pa/article-4887518/What-know-far-London-Underground-explosion.html 129 https://www.pwc.com/gx/en/industries/transportation-logistics.html 130 https://www.theregister.co.uk/2017/11/29/clarksons_got_some_data_stolen/ 131 https://blog.cybelangel.com/norwich-airport-has-been-hacked/ https://blog.cybelangel.com/norwich-airport-has-been-hacked/ 132 http://www.chicagotribune.com/business/ct-british-airways-flights-canceled-20170528-story.html 133 http://www.independent.co.uk/travel/news-and-advice/heathrow-secret-security-data-found-memory-stick-london-street-a8025516.html

21 © 2018 Anomali, Inc. All rights reserved. course of a year according to Darktrace.134 was found to have contained a backdoor. Information security company FireEye reported the infrastructure • Ryanair was the victim of a hack in 2015, losing £3.4m. involved in the attack overlapped with Chinese nation- The attack is reported to have included a fraudulent state threat actor Axiom. CCleaner is used by many transfer to a Chinese bank.135 organisations, including DHL. • CCleaner, a popular utility for Microsoft Windows,

Water

Lead Government Department: Department for Environment, Food and Rural Affairs Regulated by: Ofwat, Water Industry Commission for Scotland Major Suppliers of Water: Affinity Water, Bournemouth Water, Bristol Water, Cambridge Water (South Staffs), Cholderton and District Water, Dee Valley Water, Essex & Suffolk Water (Northumbrian), Hartlepool Water (Anglian), Portsmouth Water, South East Water, South Staffs Water, SES Water

Suppliers of Water & Waste: Anglian Water (Hartlepool Water), Dŵr Cymru - Welsh Water, Northern Ireland Water, Northumbrian Water, Scottish Water, Severn Trent Water, South West Water, Southern Water, Thames Water, United Utilities, Wessex Water, Yorkshire Water

Smart Meter Suppliers: Arqiva Legislation: Water Act 2014

Summary of Industry Notable Cyber Attacks The UK water industry is made up of a range of • A UK regional water supply company lost over £500,000 organisations that handle supply, filtration and waste. in a scam. The money transfer was sent overseas to The industry is adopting new technologies to better equip Dubai and the Bahamas and transferred into Bitcoin. An customers and companies and promote efficiencies. insider is suspected as the culprit.138 Smart meters are being widely implemented. Anglian Water and Thames Water chose Arqiva to help install their • In 2016, it was reported that a British water utility smart water meters.136 company had been hacked by SQL injection and that the attackers had twice managed to manipulate the flow Threats to Industry of chemicals. The attackers are believed to have ties to Syria.139 Challenges for the industry include population growth, customer demand, climate change and environmental standards.137

134 http://www.independent.co.uk/life-style/gadgets-and-tech/uk-rail-network-railways-hacked-four-times-hackers-trains-a7135026.html 135 http://www.ibtimes.co.uk/how-ryanair-was-hacked-see-5m-stolen-its-bank-accounts-1499206 136 http://www.silicon.co.uk/e-innovation/green-it/anglian-water-arqiva-smart-meter-194774?inf_by=5a85781a671db804518b50e2 137 https://www.water.org.uk/policy/future-of-the-water-sector#Future challenges and uncertainties 138 https://www.bleepingcomputer.com/news/security/uk-water-supplier-loses-500-000-in-sophisticated-scam/ 139 http://cjlab.memri.org/lab-projects/monitoring-jihadi-and-hacktivist-activity/unnamed-british-water-utility-hacked-chemical-levels-altered/

22 © 2018 Anomali, Inc. All rights reserved. UK’s Cyber Defense defence. The procurement process necessarily underlines future ambitions and current weaknesses in military The UK’s National Cyber Security Centre (NCSC) replaced capability. This organisation presents a prime target the CESG (the information security arm of GCHQ). It also for actors seeking to disrupt the defence procurement brought together CERT UK and the cyber-related people process or to steal information regarding defence from the CPNI. The NCSC runs a number of programmes purchases. EDF Energy appears to own all of the currently aimed at securing UK organisations such as the 10 Steps active nuclear reactors in the UK. The emergency services 140 141 to Cyber Security, Active Cyber Defence, and the Cyber are going through a communications upgrade in which 142 Security Information Sharing Partnership (CiSP). The the existing network system, Airwave, will be replaced NCSC aims to make the UK “the safest place to live and do by EE alongside the provision of hand-held devices 143 business online.” made by Samsung. Despite measures taken, the use of android phones being used by front-line emergency Conclusion staff is a risk in light of the fact that the UK is has such high android malware detections. Additional steps to The information outlined in this report sought to cover a protect these devices will help protect against infection. hybrid of areas considered potential and realized threats Recommendations include preventing additional software to the UK. The details all come from open sources and from being installed on the devices beyond what is needed therefore do not cover many of the attacks that take by emergency personnel along with implementing best place on a daily basis. The purpose of the report is to practices for protecting Android-based devices. identify what kinds of threats the UK faces and where an adversary might focus their attention. The information Some areas of the UK CNI are undergoing technological below examines the most likely threats to the UK in upgrades. The emergency services communications relation to industries undergoing a significant amount of network is being replaced. Thermal nuclear reactors are change. being gradually decommissioned and replaced with “next generation” reactors. Smart meters are being deployed Many of the sectors in the UK CNI have a large number into homes for the public to monitor energy use. Airports of companies, including small to medium enterprises will see upgrades to digital air traffic control towers. (SMEs), that support the success of the industry. This The NHS is collaborating with Google’s London artificial diversification lends strength to the resilience of the UK intelligence arm “DeepMind” for early detection of disease. against a specific targeting of those sectors. Despite All of these examples show an increase of the cyber attack this, there are geographical “clusters” that hold a high surface and introduce new avenues to infect targets. percentage of key sites. The chemicals, civil nuclear, and energy sector are dependent on some of these physical Brexit is a possible threat to industry in a number of clusters for continued operation. Grangemouth, Hull, sectors, if not all of them in one way or another. There Teesside and Runcorn are examples of this. It is well is anxiety over the loss of long-standing commercial reported how interconnected these large sites are. When relationships, loss of labour, and loss of participation in reviewing the information related to visible infrastructure ongoing projects. The process of reestablishing trade in the UK through the Shodan Internet scanning site,144 it is relationships or current ones being revised may provide possible to see open Remote Desktop Protocol (RDP) and opportunities for attackers looking to take advantage of Virtual Network Computing (VNC) ports for a number of the disruptions in these partnerships. organisations that are either direct or indirect suppliers of Many of the recent notable cyber incidents relate to services to the CNI. These exposures could serve as entry financially motivated attacks such as those from the points to attackers depending on the underlying systems’ Lazarus Group which includes the WannaCry ransomware criticality, interconnectedness with other resources, and outbreak. Fraudulent financial transfers were present the presence or absence of other security controls. in a number of industries and many of the lower end Despite diversification in some areas, there are incidents were the consequence of simple SQL injection some bodies like the Defence Equipment and Supply attacks or DDoS. Common ransomware affected many organisation that oversee procurement for the whole of organisations, which complements statistics that show

140 https://www.ncsc.gov.uk/guidance/10-steps-cyber-security 141 https://www.ncsc.gov.uk/active-cyber-defence 142 https://www.ncsc.gov.uk/cisp 143 https://www.ncsc.gov.uk/blog-post/ciaran 144 https://www.shodan.io/

23 © 2018 Anomali, Inc. All rights reserved. the UK experienced the fourth highest detection rates for the same types of actors seen in the past. The increased ransomware in 2016. China, Russia, Iran and North Korea use of technology and network communications in these are all examples of nation-states who have carried out sectors will introduce new attack vectors for attackers to campaigns against one or more of the CNI sectors. Future leverage. campaigns against CNI sectors will likely be conducted by