New Zealand is joining international partners in condemning "malicious cyber activity" intelligence services are now attributing to the Russian Government.
An advisory issued by New Zealand's National Cyber Security Centre (NCSC) alongside intelligence agencies from Five Eyes countries says the Russian hacking group Star Blizzard is "almost certainly" working on behalf of the Russian Federal Security Service.
It says Star Blizzard is using spear-phishing attacks against organisations and individuals in the United Kingdom, the United States and other areas of interest for information-gathering activity.
Since 2019, it's alleged to have targeted academic, defence, government organisations, non-government organisations, think tanks and politicians. This expanded in 2022 to include defence-industrial targets like the United States Department of Energy.
Judith Collins, the minister responsible for the Government Communications Security Bureau (GCSB), issued a statement on Friday morning saying New Zealand condemned the activity.
"New Zealand does not tolerate attempts to undermine the integrity of democratic institutions through cyber or any other means," Collins said.
"NGOs and civil society organisations also play an important role in enabling social inclusion in our democracies, and any attempt to interfere with their ability to do that is unacceptable."
Collins said Russia's "pattern of malicious cyber activity" demonstrated a "disregard for the framework of responsible state behaviour online and for the international rules-based order".
"This is a reminder to all New Zealand organisations to ensure they have strong cyber security measures in place and are protecting their data from all kinds of cyber harm. New Zealand condemns the unacceptable actions of Russian state actors and calls for all states to behave responsibly online."
Star Blizzard's spear-phishing activity has involved gathering information about a target and their contacts, creating email and social media accounts impersonating a target's contact, and then once trust has been established with a target, sending a malicious link.
"The attacker uses typical phishing tradecraft and shares a link, apparently to a document or website of interest," the advisory says.
"This leads the target to an actor-controlled server, prompting the target to enter account credentials. The malicious link may be a URL in an email message, or the actor may embed a link in a document on OneDrive, Google Drive, or other file-sharing platforms.
"Star Blizzard uses the open-source framework EvilGinx in their spear-phishing activity, which allows them to harvest credentials and session cookies to successfully bypass the use of two-factor authentication."
The hackers then have access to the target's credentials, which can be used to access and steal emails.
The United Kingdom Foreign Secretary David Cameron on Friday morning said the Russian Federal Security Service was behind unsuccessful attempts to interfere in the country's political process. The Russian Ambassador to the UK has been reportedly summoned and two people have been sanctioned. It's reported that Russia has denied involvement.
In July, a Russian hacker group claimed on social media to have taken down a number of New Zealand websites, including Parliament's, in retaliation to the Government's support of Ukraine.
Also earlier this year, Five Eyes countries including New Zealand accused a Chinese group sponsored by the Chinese state of targeting US critical infrastructure. It warned similar activity could be directed to others around the world.
