# Russia's FSB malign activity: factsheet

**[gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet](https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet)**

Foreign, Commonwealth & Development Office

## Contents

1. Cyber operations and the Russian intelligence services
2. The FSB cyber programme
3. Cyber operations conducted by FSB Centre 16
4. Cyber operations against worldwide critical national infrastructure
5. Cyber operations against dissidents, political opponents and the Russian public

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view
this licence, visit [nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The](https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3)
[National Archives Kew London TW9 4DU or email: psi@nationalarchives gov uk](http://10.10.0.46/mailto:psi@nationalarchives.gov.uk)


-----

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders
concerned.

This publication is available at https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activityfactsheet/russias-fsb-malign-activity-factsheet

## Cyber operations and the Russian intelligence services

Russia is one of the world’s most prolific cyber actors and dedicate significant resource into conducting cyber operations
around the globe. The UK government has publicly attributed malign cyber activity to parts of three Russian Intelligence
services: the FSB, SVR and GRU, with each having their own remits.

A table of the parts of the Russian Intelligence Services that the UK Government has publicly attributed is below.

### RIS cyber organogram

## The FSB cyber programme

The FSB (Federal Security Service; Russian: (Федеральная служба безопасности (ФСБ)) is Russia’s state security agency
and the successor to the KGB. Since its formation in (1995 the FSB has conducted electronic surveillance of equipment.

### FSB Centre 16

FSB Centre 16 (16-й Центр) is responsible for cyber operations including the intercepting, decrypting and processing of
electronic messages, and the technical penetration of foreign targets. Its full title is the Centre for Radio-Electronic
Intelligence by Means of Communication (TsRRSS; Russian: Центр радиоэлектронной разведки на средствах связи
(ЦPPCC)) and is also known as “Military Unit 71330” (V/Ch 71330) (Bойсковая часть B/Ч 71330).

When the KGB was disbanded in 1991, the 16th Directorate of the KGB became FAPSI (Russian: ՓАПϹИ) or Federal
Agency of Government Communications and Information (FAGCI) (Russian :Փедеральное Агентство Правительственной
Ϲвязи и Информации) a Russian government agency which was responsible for signals intelligence (SIGINT) and security


-----

of governmental communications.

In 2003, FAPSI was dissolved, and the 3rd Main Department of FAPSI (responsible for SIGINT) was transferred to the FSB
forming the basis for FSB Centre 16.

The emblem of FSB Centre 16 hints at its activities in cyberspace: a satellite dish (signifying SIGINT activity) and a key,
broken by lightning, (signifying the breaking of an encryption key) are both present.

## Cyber operations conducted by FSB Centre 16

FSB Centre 16 has been observed conducting cyber operations since at least 2010. They conducted significant campaigns
against the energy sector in 2014 and the aviation sector in 2020.

## Cyber operations against worldwide critical national infrastructure

Centre 16 of the FSB have targeted/gained unauthorised access systems in countries around the world that are necessary for
a country to function and upon which daily life depends. Known as Critical National Infrastructure or CNI, Centre 16 has
targeted systems essential for energy, healthcare, finance, education and local/national governments. This has been a
concerted campaign over many years and in a wide range of countries across Europe, the Americas and Asia.

NCSC and cyber security companies have warned network defenders on multiple occasions of the risks posed by this pattern
of activity. While there has been speculation of FSB involvement, the UK government is confirming this activity was carried
out by FSB Centre 16 and providing further details of specific examples of this activity to increase awareness and
transparency around the threat.

### Table 2: Cyber operations against CNI


**Date** **Activity**


**Description**
**of targets** **Further information**


-----

**Date** **Activity**


**Description**
**of targets** **Further information**


June to
July 2013


Compromised
software
package,
turning the
software into
a Trojan, a
legitimate
appearing
programme
that contains
malware


Symantec report:
https://community.broadcom.com/symantecenterprise/communities/communityhome/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-478284cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f44e4a7f5f5e68&tab=librarvdocuments

Symantec report:
https://community.broadcom.com/symantecenterprise/communities/communityhome/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-478284cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f44e4a7f5f5e68&tab=librarvdocuments

Symantec report: Dragonfly: Western energy sector targeted by sophisticated
attack group https://symantec-enterprise-blogs.security.com/blogs/threatintelligence/dragonfly-energy-sector-cyber-attacks. Symantec indicate that the
actors may have “access to operational systems”

US Cybersecurity and Infrastructure security agency advisory
[https://www.cisa.gov/uscert/ncas/alerts/aa22-074a. [The advisory states that](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a)
the activity detailed was performed by Russia government actors and points to
the Symantec report detailed above (October 2017) that details malicious
activity performed by the group called “Dragonfly”]


April 2014 Compromised
software

April 2017 Conducted
malicious
cyber activity


October
2017

March
2018


Gained
unauthorised
access to and
compromised
multiple
networks
through
malicious
cyber activity
including
spear
phishing

Conducted
spear
phishing,
captured user
credentials,
gained
unauthorised
access to CNI
and exfiltrated
data


European
manufacturer
of
programmable
logic controller
devices

European
developer of
wind turbines,
bio gas and
other energy
infrastructure

UK
companies
associated
with the
energy sector

European and
North
American
energy sector

US energy,
nuclear,
commercial
facilities,
water, aviation
and critical
manufacturing
sectors


-----

**Date** **Activity**

April 2018 Compromising
UK
organisations
with focus on
engineering
and industrial
control
companies.
Attackers may
be able to
access
contact lists of
hacked
companies
and establish
long term
access to
networks


**Description**
**of targets** **Further information**


NCSC advisory: https://www.ncsc.gov.uk/news/hostile-state-actorscompromising-uk-organisations-focus-engineering-and-industrial-control

This reconnaissance could be used to gain access at a later date

CISA alert AA20-296A


February
2020 to
August
2020

September
2020
onwards


Sustained and
substantial
scanning and
probing of
networks

Targeted and
exfiltrated
data


UK
engineering
and industrial
control
companies

American
aviation sector

American
aviation sector
and other key
US targets


## Cyber operations against dissidents, political opponents and the Russian public

The UK government has identified FSB Centre 16 actors using cyber operations to monitor or attempt to gain unauthorised
access to the computer systems of dissidents, political opponents and the Russian public.

### Table 3: Cyber operations conducted by FSB Centre 16 against dissidents, prominent Kremlin critics and the Russian public

**Date** **Activity** **Further information**


September
2017

October
2019 to
January
2020

February
2020


Gained unauthorised access to the
email address of an associate of
Aleksey Navalny

Posing as the Russian Federal Tax
Service, conducted spear phishing
against multiple Russian nationals

Attempted to Spear-phish the press
secretary of Mikhail Khodorkovskiy


Aleksey Navalny is a prominent critic of Putin and a strong
advocate for democracy in Russia. In August 2020 Navalny was
poisoned in Russia. Following treatment in Germany he returned to
Russia and was arrested on arrival

Many of the targets are critics of the current administration

1: Mikhail Khodorkovskiy is a prominent critic of the Russian
administration and currently resides in the UK. 2: Mikhail
Khodorkovskiy has said he believes himself to be at serious risk
from harm at the hands of the Russian state. He currently resides
in the UK. The press secretary would be expected to have access
to Mikhail Khodorkovskiy’s diary and travel plans


-----

**Date** **Activity** **Further information**


May 2020 Monitored the website “dossier.center”,
a website set up by Mikhail
Khodorkovskiy to expose corruption
within the Russian government. This
activity occurred shortly after the
website released information about the
FSB

Contents


This activity likely represents intelligence gathering against groups
connected to Mikhail Khodorkovskiy


We use some essential cookies to make this website work.

We’d like to set additional cookies to understand how you use GOV.UK, remember your settings and improve government
services.

We also use cookies set by other sites to help us deliver content from their services.


-----