Full Report
Over the past two years, state-linked Russian hackers have repeatedly attacked Liverpool City Council — and it’s not because the Kremlin harbors a particular dislike toward the port city in northern England. Rather, these attacks are part of a strategy to hit cities, governments and businesses with large financial losses, and they strike far beyond cyberspace. In…
Analysis Summary
# Threat Actor: State-Linked Russian Hackers (Financial Disruption Focus)
## Attribution & Identity
* **Attribution:** State-linked Russian hackers.
* **Known Aliases and Associated Groups:** Not explicitly named individuals or groups, but the activity is linked to Russian state interests.
## Activity Summary
* **Recent Campaigns:** Repeatedly attacked Liverpool City Council over the past two years.
* **Operations:** The cyber operations are part of a broader, hybrid strategy aimed at inflicting large financial losses against targeted entities. This strategy extends beyond cyberspace.
* **Physical/Cyber Interplay:** An example of kinetic/cyber overlap includes the damage caused by the "Eagle S shadow vessel" to undersea cables in the Gulf of Finland in December, which resulted in tens of millions of euros in costs.
## Tactics, Techniques & Procedures
The provided excerpt focuses more on objectives and methodology rather than specific technical TTPs (like malware or exploits).
- **Methodology:** Attacks are designed to cause significant disruption leading to large financial losses for the target companies and their insurers.
- **Techniques (Implied):** Cyberspace attacks (targeting city councils) and physical/maritime interference (damaging undersea cables).
- **MITRE ATT&CK IDs:** None mentioned in the source text.
## Targeting
* **Sectors:** Cities, governments (specifically municipal government, e.g., Liverpool City Council), businesses, shopping malls, airports, logistics companies, and airlines.
* **Geography:** Liverpool, England (UK); Gulf of Finland (maritime infrastructure).
* **Victims:** Liverpool City Council, unnamed shopping malls, airports, logistics companies, and airlines.
## Tools & Infrastructure
* **Malware Families Used:** Not specified.
* **Infrastructure (C2, domains, IPs):** Not specified. Mention of the "Eagle S shadow vessel" implies state-level physical infrastructure is used in concert with cyber attacks.
## Implications
The primary strategic implication is that these actors are executing a consistent, state-driven strategy to cause severe economic damage ("bleed us dry") across various sectors, using both cyber and kinetic/hybrid means. The targeting of local government (like Liverpool City Council) suggests a focus on disrupting essential municipal services to maximize impact and cost.
## Mitigations
* Focus on improving cyber defenses for critical government and essential service providers (like transportation and logistics).
* Assess and mitigate risks associated with potential hybrid attacks, including maritime infrastructure (given the mention of undersea cable damage).
* Implement robust financial protection strategies, as attacks are explicitly designed to impact corporate insurers and drive up costs.