Cyber threats directed against NATO and its member states have increased with the war in Ukraine, but the aggressors are not limited to Russia. NATO technologies and defense secrets are a prize target for any state not directly aligned with NATO or NATO-sympathetic nations.
John Hultquist, chief analyst at Mandiant Intelligence has collated the primary cyber threats facing NATO ahead of its Washington DC summit from July 9, 2024, to July 11, 2024 (coinciding with NATO’s 75th anniversary).
The primary adversaries are Russian and Chinese nation state actors, escalating financially motivated criminal activity, and ideologically driven hacktivists. The primary political motivations are cyber espionage, and hybrid warfare (spreading disinformation and attacking civil society to weaken public resolve and support).
Hultquist highlights three Russian state actors: APT29 (focusing on intelligence collection), COLDRIVER (focused on disinformation), and APT44 (formerly known as Sandworm, and focused on disruptive cyberattacks).
APT29
APT29 is believed to be associated with the Russian Foreign Intelligence Services (SVR). During the past year it has been targeting technology companies and IT service providers to initiate supply chain access to government and policy organizations. It is strong in cloud environments and stealth, “Making them hard to detect and track, and especially difficult to expel from compromised networks,” comments Hultquist.
The actor has also been seen directly targeting political parties in the US and Germany with the probable intention of collecting intelligence on future government policy.
COLDRIVER
COLDRIVER is an actor linked to Russia’s domestic intelligence agency, the Federal Security Service (FSB). This actor uses credential phishing against high profile politically relevant targets. “Information stolen by COLDRIVER was leaked in 2022 in an effort to exacerbate Brexit-related political divisions in UK politics,” writes Hultquist. The actor primarily targets NATO countries and Ukraine with the purpose of sowing discord among the citizens.
APT44
APT44 is tied to Russian military intelligence, and is generally considered to be the disruptive arm of Russian state cyber. It was involved in the NotPetya and Pyeongchang Olympic games attacks, and blackouts in Ukraine. More recently, in October 2022, it is believed to be behind Prestige ransomware attacks against Poland and Ukraine.
This ransomware could not be unlocked, so was effectively a wiper. “APT44 has shown a willingness to use a disruptive capability intentionally against a NATO member country, which reflects the group’s penchant for risk taking.”
Hultquist also warns that state actors, not limited to APT 44 and Russia, are “compromising the critical infrastructure of NATO members in preparation for future disruptions.”
Chinese espionage
Chinese activity has transitioned from loud, easily attributable attacks to a greater focus on stealth. “Technical investments have amplified the challenge to defenders and bolstered successful campaigns against government, military, and economic targets in NATO member states,” says Hultquist.
There is now a focus on using zero-day vulnerabilities to compromise edge devices. In 2023, 12 zero-days were used, many targeting security products at the network edge.
There is a greater use of operational relay box (ORB) networks. In a separate blog published in May 2024, Michael Raggi explained that ORB networks are similar to botnets that comprise virtual private servers, compromised IoT, smart devices, and routers. The result is “a constantly evolving mesh network that can be used to conceal espionage operations.”
There is also an increased use of ‘living off the land’ techniques to increase stealth.
Mandiant notes that these new approaches are not limited to China, and that Russian actors such as APT29, APT28, and APT44 have also used them.
Disinformation
Disinformation campaigns continue, especially in a major year of western elections. Prigozhin’s information operations have survived his death, although less effectively. “The narratives propagated by these operations call for NATO’s dismantlement and imply that the Alliance is a source of global instability,” comments Hultquist.
Ghostwriter, at least partially linked to Belarus, has been targeting Belarus’ neighboring NATO states. In 2020, a Ghostwriter campaign claimed that NATO troops were responsible for bringing COVID-19 to Latvia. The primary purpose is to undermine public support for NATO policies. In 2023, a campaign alleged that Poland and Lithuania were recruiting their own citizens to join a brigade that would deploy to Ukraine.
Hacktivism and ransomware
Hacktivism never went away but has certainly grown with the war in Ukraine. By its nature, it is difficult to tie hacktivism to specific nation states, but it can often be tied to political ideologies. KillNet, for example, is pro-Russia; the IT Army of Ukraine is anti-Russia.
Ransomware is a favored financially motivated tool of cybercriminals. While it is primarily used by criminals, it is also used by North Korea and has been used by Russian state actors. However, whatever the motivation, the effect is similar: disruption to companies and services, and concern to customers – which is particularly concerning to patients.
Geopolitical cyber activity has undoubtedly increased with the Ukraine war, and is now largely focused against NATO and western alliance counties. “NATO must rely on collaboration with the private sector in the same way it draws on the strength of its constituent members,” says Hultquist. “Furthermore, it must harness its greatest advantage against cyber threats–the technological capability of the private sector–to seize the initiative in cyberspace from NATO’s adversaries.”
Related: NATO Draws a Cyber Red Line in Tensions With Russia
Related: Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression
Related: The Increasing Effect of Geopolitics on Cybersecurity
Related: What is Cyberwar?
This post was originally published on the 3rd party site mentioned in the title of this this site