Emboldened and Evolving: NATO Cyber Threats snapshot
As NATO members and partners prepare for a landmark summit, the cyber threat must be considered. Empowered state-sponsored actors, hacktivists, and criminals are willing to cross lines and commit acts previously unthinkable to attack the Alliance. Besides military targets, NATO must address hybrid threats including APT44, Cyber Espionage & More harmful cyber activities against hospitals, civic society, and other targets, which could affect contingency resilience. The Ukraine crisis is linked to rising cyber risks, but many will grow separately and simultaneously.
NATO faces clandestine, aggressive cyber actors that gather intelligence, assault key infrastructure, and spread disinformation. Google is closely watching cyber threats, including those in this report, to safeguard its customers and businesses, but this is just a snapshot of a bigger and developing world.
What is Cyber espionage?
Cyber espionage is the act of stealing information without permission over the internet. It’s the digital version of traditional espionage
Cyber espionage
NATO’s enemies have long used Cyber Espionage to gain political, diplomatic, and military insight and acquire defence technologies and economic secrets. However, Alliance intelligence will be crucial in the coming months. This summit represents a transition time, with Mark Rutte as Secretary General and other changes planned to strengthen the Alliance’s defence posture and long-term support for Ukraine. Threat actor Cyber Espionage might weaken NATO’s strategic advantage and inform opponent leadership on how to oppose NATO’s investments and ambitions.
NATO faces global Cyber Espionage from various actors. Many still use simple but successful approaches like social engineering. Others have advanced their tradecraft to become formidable opponents for even the most skilled defenders.
APT29 (ICECAP)
APT29, attributed to the Russian Foreign Intelligence Services (SVR) by various governments, collects diplomatic and political intelligence on Europe and NATO member states. APT29 has committed several high-profile compromises of technology corporations that give public sector access. In the past year, Mandiant has seen APT29 target NATO member technology businesses and IT service providers to compromise government and policy organisations’ third-party and software supply chains.The actor is skilled in cloud environments and adept at disguising their tracks, making them hard to detect, monitor, and expel from infiltrated networks.
In addition to spear-phishing NATO members, APT29 has traditionally targeted diplomatic bodies. The actor has breached European and U.S. executive authorities multiple times. They have also targeted political parties in Germany and the U.S. to gather intelligence on potential government policy.
Cyberespionage from China
Recently, Chinese Cyber Espionage has shifted from noisy, easily identifiable operations to stealth. Technical advances have made defending harder and helped NATO member states attack government, military, and commercial targets.
Chinese Cyber Espionage increasingly uses:
Targeting the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to limit defence detection. These operators have lowered their risk of user or control identification by using less social engineering. These hackers exploited 12 zero-days (software or hardware vulnerabilities unknown to the vendor, with no patch or fix available, and can be exploited before they can be addressed) in 2023, several in network edge security products. These devices are suitable beachheads in hacked networks because they lack endpoint detection.
Hiding harmful communications via operational relay box (ORB) networks. Threat actors use proxies to mask their malicious traffic on the internet, but proxy tracking is easy. Large ephemeral ORB networks of shared and hacked proxies are used by actors. These networks are hard to trace and hinder infrastructure intelligence sharing for defenders.
Live off the land to avoid defence detection. Some actors utilise non-malware means to break in. Live-off-the-land tactics exploit legitimate system tools, features, and functionalities to traverse networks and commit crimes. Without malware detection and intelligence sharing, defenders are at a disadvantage.
Not just Chinese threat actors use these methods. Russian actors APT29, APT28, and APT44 have employed them.
Cyberattacks that disrupt and destroy
Cyberattacks are increasing, threatening NATO directly and indirectly. Iranian and Russian state actors have been eager to attack NATO countries in recent years, but they have concealed behind phoney fronts that take credit. Mandiant described a 2022 damaging attack on Albania by a purported hacktivist group called “HomeLand Justice” that the U.S. Government subsequently ascribed to Iranian actors.
While demonstrating their ability to launch complex strikes on extremely sensitive operational technology systems in Ukraine, state actors are compromising NATO countries’ key infrastructure for future disruptions. These actors have the means and motivation to disrupt NATO’s key infrastructure.
In addition to state cyberattacks, hacktivist and criminal disruptions are no longer ignorable. Global hacktivist resurgence has caused major attacks on the public and private sectors, making illegal activity a national security threat.
APT44 Sandworm, Frozenbarents
Highly advanced cyber threat outfit APT44, also known as Sandworm, is thought to be backed by Russian military intelligence.
Espionage, disruption, and disinformation efforts are APT44’s specialties. For over a decade, they’ve carried out disruptive malware attacks including BlackEnergy and Industroyer.
APT44 summary:
- APT44 has targeted essential infrastructure, government agencies, and international sports organisations. Since the Russia conflict, Ukraine has been a top target.
- Tactics: APT44 has many tools to achieve its goals. Supply chain attacks, phishing emails, and software flaws are examples. They may use wiper malware to delete data and disrupt operations.
- The range of APT44’s capabilities makes it worrisome. APT44 conducts espionage, sabotage, and influence operations, unlike many APT groups.
The global devastating hack NotPetya, Pyeongchang Olympic games strikes, and Ukraine outages have all been carried out by APT44. Russian military intelligence-linked actor has carried out technically complicated interruptions of sensitive operational systems and broad-effect damaging strikes. APT44 has carried out most disruptive assaults in Ukraine and minor attacks in NATO nations since the war.
PRESSTEA (Prestige) ransomware was used against Polish and Ukrainian logistics companies by APT44 in October 2022. The malware was unbreakable and damaging, maybe to demonstrate the group’s ability to harm supply routes carrying lethal aid to Ukraine. APT44’s risk-taking in using a disruptive capacity against a NATO member country is evident in this operation.
Hacktivists
Geopolitical flashpoints like the Russian invasion of Ukraine have sparked a global hacktivism revival. Despite focusing on NATO members, these actors have had mixed results. Many surgeries are meant to draw attention and create a false sense of uneasiness but cause no lasting damage.
These actors cannot be disregarded despite their flaws. Their attacks draw media attention in target countries and sometimes have catastrophic effects. One of their preferred methods, distributed denial-of-service (DDOS) attacks, are cosmetic but might be used to greater effect during elections. Hacktivists like pro-Russian organisation Cyber Army Russia Reborn (CARR) are also testing larger strikes on key infrastructure. CARR, which has questionable ties to APT44, has affected U.S., Polish, and French water systems in a series of basic but aggressive acts.
Cybercriminals
Ransomware-related financial disruptions are already disrupting NATO states’ essential infrastructure, causing hospital patient care, energy, and government service failures. Many crooks target this crucial infrastructure despite their promises. Russian-speaking criminals and North Korean state actors seeking espionage funding have regularly attacked U.S. and European healthcare institutions. This threat will likely grow due to these actors’ ability to operate from states with low cyber crime enforcement or extradition agreements and the lucrative nature of ransomware operations.
Information Operations and Disinformation
Information operations have grown in cyber threat activities over the past decade as wars and geopolitical tensions have increased. These operations range from “troll farm” social media manipulation to intricate network intrusions. Russian and Belarusian information operations have targeted NATO member nations to weaken the Alliance’s cohesiveness and goals.
Some Cyber Espionage operators who acquire clandestine intelligence also conduct information operations. In hack-and-leak activities, APT28 and COLDRIVER have used stolen data, while UNC1151 has used infiltration capabilities in more complicated information operations. False and misleading information is used to influence public opinion, foment strife, and advance political goals.
Google vigorously counters these activities across products, teams, and geographies where they break our standards and disrupt overt and covert information operations campaigns. They report quarterly in the TAG Bulletin on YouTube channel disruptions, blogs, AdSense accounts, and URLs deleted from Google News surfaces.
Information Operations of Prigozhin Survive
Former Russian industrialist Yevgeniy Prigozhin’s disinformation empire continues, albeit less efficiently, after his death. These campaigns continue to spread disinformation and pro-Russia narratives on many social media platforms, recently emphasising alternative sites, across multiple regions.
These efforts advocate for NATO’s disarmament and claim it causes global instability. They criticise NATO leaders too. These commercials’ substance is heavily influenced by geopolitical events like Russia’s 2022 invasion of Ukraine and other Russian strategic aims. NATO and its member states’ backing for Ukraine has made the Alliance a major target directly and indirectly by becoming involved in matters against Russia’s strategic interests.
COLDRIVER
Russian Cyber Espionage actor COLDRIVER has been linked to the Federal Security Service. The actor often conducts credential phishing attempts against prominent NGOs and retired intelligence and military leaders. The hack-and-leak operation employed victim mailbox data stolen by COLDRIVER. In 2022, COLDRIVER leaked information to deepen Brexit-related political divides in the UK.
Before that, the actor revealed U.S.-UK trade deals before the 2019 UK election. Originally targeting NATO countries, COLDRIVER expanded in 2022 to include the Ukrainian government and conflict supporters. In March 2022, COLDRIVER campaigns targeted numerous European militaries and a NATO Centre of Excellence for the first time.
