{
	"id": "d0698d36-43f5-41f9-bbc5-0eb4d79d84f2",
	"created_at": "2026-04-06T00:21:00.7178Z",
	"updated_at": "2026-04-10T03:35:41.624428Z",
	"deleted_at": null,
	"sha1_hash": "e02c395be7e4fe0a0297b6ea853ab47a60149cd8",
	"title": "UK exposes attempted Russian cyber interference in politics and democratic processes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43755,
	"plain_text": "UK exposes attempted Russian cyber interference in politics and\r\ndemocratic processes\r\nBy Foreign, Commonwealth \u0026 Development Office\r\nPublished: 2023-12-07 · Archived: 2026-04-05 16:46:40 UTC\r\nthe KGB’s successor agency, the Federal Security Service (FSB) is behind sustained unsuccessful attempts\r\nto interfere in UK political processes\r\ntargets include politicians, civil servants, journalists, NGOs and other civil society organisations\r\nin response, the Foreign, Commonwealth and Development Office has sanctioned individuals involved in\r\nthe group’s activity and summoned the Russian Ambassador\r\nThe UK and allies have today (December 7th) exposed a series of attempts by the Russian Intelligence Services to\r\ntarget high-profile individuals and entities through cyber operations. The UK Government judges that this was\r\ndone with the intent to use information obtained to interfere in UK politics and democratic processes.   \r\nCentre 18, a unit within Russia’s Intelligence Services, the FSB, has been identified as being accountable for a\r\nrange of cyber espionage operations targeting the UK.  \r\nThe activity was in turn conducted by Star Blizzard; a group that the UK’s National Cyber Security Centre\r\n(NCSC) – a part of GCHQ – assesses is almost certainly subordinate to FSB Centre 18.   \r\nWhile some attacks resulted in documents being leaked, attempts to interfere with UK politics and democracy\r\nhave not been successful. \r\nStar Blizzard is also commonly known as Callisto Group, SEABORGIUM or COLDRIVER and is operated by\r\nFSB officers. The group has also selectively leaked and amplified the release of information in line with Russian\r\nconfrontation goals, including to undermine trust in politics in the UK and likeminded states. \r\nIn particular, the UK has identified the FSB - through the activity conducted by Star Blizzard - as being involved\r\nin the following:  \r\ntargeting, including spear-phishing, of parliamentarians from multiple political parties, from at least 2015\r\nthrough to this year.  \r\nthe hack of UK-US trade documents that were leaked ahead of the 2019 General Election – previously\r\nattributed to the Russian state via Written Ministerial Statement in 2020.  \r\nthe 2018 hack of the Institute for Statecraft, a UK thinktank whose work included initiatives to defend\r\ndemocracy against disinformation, and the more recent hack of its founder Christopher Donnelly, whose\r\naccount was compromised from December 2021; in both instances documents were subsequently leaked. \r\nhttps://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes\r\nPage 1 of 3\n\ntargeting of universities, journalists, public sector, non-government organisations and other civil society\r\norganisations, many of whom play a key role in UK democracy\r\nFollowing a National Crime Agency investigation, the UK has today sanctioned two members of Star Blizzard for\r\ntheir involvement in the preparation of spear-phishing campaigns and associated activity that resulted in\r\nunauthorised access and exfiltration of sensitive data, which was intended to undermine UK organisations and\r\nmore broadly, the UK government. \r\nThese sanctions have been delivered jointly with the US, and are the latest in our bilateral efforts to counter\r\nRussian malicious cyber activity that seeks to undermine our, and our allies’, integrity and prosperity. The US\r\nDepartment of Justice have concurrently unsealed indictments against the individuals designated today.\r\nThe individuals being designated in the UK and US are: \r\nRuslan Aleksandrovich PERETYATKO, who is a Russian FSB intelligence officer and a member of Star\r\nBlizzard AKA the Callisto Group \r\nAndrey Stanislavovich KORINETS, AKA Alexey DOGUZHIEV, who is a member of Star Blizzard AKA\r\nthe Callisto Group \r\nThe Foreign, Commonwealth and Development Office has also summoned the Russian Ambassador to express the\r\nUK’s deep concern about Russia’s sustained attempts to use cyber to interfere in political and democratic\r\nprocesses in the UK and beyond.  \r\nIn a statement to the House earlier today the Minister for Europe Leo Docherty emphasised that attempts to\r\ninterfere with UK politics and democracy have not been successful. However, it is likely that Russia and other\r\nadversaries will continue to make attempts to use cyber means to interfere in UK politics. The NCSC alongside\r\nthe US, Australia, New Zealand and Canada will today publish a cyber security advisory to inform network\r\ndefenders of how to mitigate this activity, and NCSC will publish guidance for high-risk individuals whilst\r\nproviding further information around support available.  \r\nForeign Secretary David Cameron said:  \r\nRussia’s attempts to interfere in UK politics are completely unacceptable and seek to threaten our\r\ndemocratic processes. \r\nDespite their repeated efforts, they have failed. \r\nIn sanctioning those responsible and summoning the Russian Ambassador today, we are exposing their\r\nmalign attempts at influence and shining a light on yet another example of how Russia chooses to\r\noperate on the global stage.  \r\nWe will continue to work together with our allies to expose Russian covert cyber activity and hold\r\nRussia to account for its actions.\r\nDeputy Prime Minister Oliver Dowden said:  \r\nhttps://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes\r\nPage 2 of 3\n\nAs I warned earlier this year, state actors, and the ‘Wagner-style’ sub-state hackers they use to do their\r\ndirty work, will continue to target our public institutions and our democratic processes. \r\nWe will continue to call this activity out, to raise our defences, and to take action against the\r\nperpetrators.  \r\nOnline is the new frontline. We are taking a whole of society approach to ensuring we have the robust\r\nsystems and cutting-edge skills needed to resist these attempts to undermine our democracy.\r\nHome Secretary James Cleverly said:  \r\nAn attack against our democratic institutions is an attack on our most fundamental British values and\r\nfreedoms. The UK will not tolerate foreign interference and through the National Security Act, we are\r\nmaking the UK a harder operating environment for those seeking to interfere in our democratic\r\ninstitutions.\r\nThe activity announced today is part of a broader pattern of malign cyber activity conducted by the Russian\r\nIntelligence Services across the globe. In recent years the UK and allies have exposed Russian Intelligence for\r\ntheir role in ViaSat, SolarWinds, and targeting of Critical National Infrastructure. In May, the NCSC alongside\r\nFive Eye partners exposed a sophisticated cyberespionage tool designed and used by Centre 16 of Russia’s\r\nFederal Security Service (FSB) for long-term intelligence collection on sensitive targets.  \r\nBackground\r\nThese cyber-attacks were committed by a group NCSC assesses are highly likely subordinate to the FSB’s 18th\r\nCentre for Information Security. This is known in open source as:  \r\nStar Blizzard \r\nSEABORGIUM  \r\nCallisto Group  \r\nTA446 \r\nCOLDRIVER \r\nTAG-53 \r\nBlueCharlie\r\nSource: https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes\r\nhttps://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes"
	],
	"report_names": [
		"uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes"
	],
	"threat_actors": [
		{
			"id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4",
			"created_at": "2022-10-25T16:07:23.667223Z",
			"updated_at": "2026-04-10T02:00:04.705778Z",
			"deleted_at": null,
			"main_name": "GCHQ",
			"aliases": [
				"Government Communications Headquarters",
				"Operation Socialist"
			],
			"source_name": "ETDA:GCHQ",
			"tools": [
				"Prax",
				"Regin",
				"WarriorPride"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "5dae3c71-8be1-4591-a2fb-b851ea6f083d",
			"created_at": "2022-10-25T16:07:23.432642Z",
			"updated_at": "2026-04-10T02:00:04.600341Z",
			"deleted_at": null,
			"main_name": "Callisto Group",
			"aliases": [],
			"source_name": "ETDA:Callisto Group",
			"tools": [
				"RCS Galileo"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4",
			"created_at": "2023-01-06T13:46:38.581534Z",
			"updated_at": "2026-04-10T02:00:03.029872Z",
			"deleted_at": null,
			"main_name": "Callisto",
			"aliases": [
				"BlueCharlie",
				"Star Blizzard",
				"TAG-53",
				"Blue Callisto",
				"TA446",
				"IRON FRONTIER",
				"UNC4057",
				"COLDRIVER",
				"SEABORGIUM",
				"GOSSAMER BEAR"
			],
			"source_name": "MISPGALAXY:Callisto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3aedca2f-6f6c-4470-af26-a46097d3eab5",
			"created_at": "2024-11-01T02:00:52.689773Z",
			"updated_at": "2026-04-10T02:00:05.396502Z",
			"deleted_at": null,
			"main_name": "Star Blizzard",
			"aliases": [
				"Star Blizzard",
				"SEABORGIUM",
				"Callisto Group",
				"TA446",
				"COLDRIVER"
			],
			"source_name": "MITRE:Star Blizzard",
			"tools": [
				"Spica"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2d06d270-acfd-4db8-83a8-4ff68b9b1ada",
			"created_at": "2022-10-25T16:07:23.477794Z",
			"updated_at": "2026-04-10T02:00:04.625004Z",
			"deleted_at": null,
			"main_name": "Cold River",
			"aliases": [
				"Blue Callisto",
				"BlueCharlie",
				"Calisto",
				"Cobalt Edgewater",
				"Gossamer Bear",
				"Grey Pro",
				"IRON FRONTIER",
				"Mythic Ursa",
				"Nahr Elbard",
				"Nahr el bared",
				"Seaborgium",
				"Star Blizzard",
				"TA446",
				"TAG-53",
				"UNC4057"
			],
			"source_name": "ETDA:Cold River",
			"tools": [
				"Agent Drable",
				"AgentDrable",
				"DNSpionage",
				"LOSTKEYS",
				"SPICA"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3a057a97-db21-4261-804b-4b071a03c124",
			"created_at": "2024-06-04T02:03:07.953282Z",
			"updated_at": "2026-04-10T02:00:03.813595Z",
			"deleted_at": null,
			"main_name": "IRON FRONTIER",
			"aliases": [
				"Blue Callisto ",
				"BlueCharlie ",
				"CALISTO ",
				"COLDRIVER ",
				"Callisto Group ",
				"GOSSAMER BEAR ",
				"SEABORGIUM ",
				"Star Blizzard ",
				"TA446 "
			],
			"source_name": "Secureworks:IRON FRONTIER",
			"tools": [
				"Evilginx2",
				"Galileo RCS",
				"SPICA"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "61940e18-8f90-4ecc-bc06-416c54bc60f9",
			"created_at": "2022-10-25T16:07:23.659529Z",
			"updated_at": "2026-04-10T02:00:04.703976Z",
			"deleted_at": null,
			"main_name": "Gamaredon Group",
			"aliases": [
				"Actinium",
				"Aqua Blizzard",
				"Armageddon",
				"Blue Otso",
				"BlueAlpha",
				"Callisto",
				"DEV-0157",
				"G0047",
				"Iron Tilden",
				"Operation STEADY#URSA",
				"Primitive Bear",
				"SectorC08",
				"Shuckworm",
				"Trident Ursa",
				"UAC-0010",
				"UNC530",
				"Winterflounder"
			],
			"source_name": "ETDA:Gamaredon Group",
			"tools": [
				"Aversome infector",
				"BoneSpy",
				"DessertDown",
				"DilongTrash",
				"DinoTrain",
				"EvilGnome",
				"FRAUDROP",
				"Gamaredon",
				"GammaDrop",
				"GammaLoad",
				"GammaSteel",
				"Gussdoor",
				"ObfuBerry",
				"ObfuMerry",
				"PlainGnome",
				"PowerPunch",
				"Pteranodon",
				"Pterodo",
				"QuietSieve",
				"Remcos",
				"RemcosRAT",
				"Remote Manipulator System",
				"Remvio",
				"Resetter",
				"RuRAT",
				"SUBTLE-PAWS",
				"Socmer",
				"UltraVNC"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775792141,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e02c395be7e4fe0a0297b6ea853ab47a60149cd8.pdf",
		"text": "https://archive.orkl.eu/e02c395be7e4fe0a0297b6ea853ab47a60149cd8.txt",
		"img": "https://archive.orkl.eu/e02c395be7e4fe0a0297b6ea853ab47a60149cd8.jpg"
	}
}