Today's cybersecurity headlines are brought to you by ThreatPerspective


Threat Intelligence

Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO

Living off the land to reduce opportunities for defender detection. Some actors are forgoing the use of malware and leveraging other methods to conduct intrusions. Living-off-the-land techniques use legitimate tools, features, and functions available in the system to traverse networks and carry out malicious activity. Defenders are at a serious disadvantage without the ability to detect malware and are less able to share intelligence on related activity.
These techniques are not only leveraged by Chinese threat actors. Russian actors such as APT29, APT28, and APT44 have used them as well.

Disruptive and Destructive Cyberattacks


Disruptive and destructive cyberattacks are on the rise, posing direct and indirect consequences to the NATO alliance. In recent years, Iranian and Russian state actors have demonstrated a willingness to carry out these attacks on NATO members, though they have hidden their hands behind false fronts who publicly take credit for the operations. For example, Mandiant described a 2022 destructive attack against the government of Albania for which an alleged hacktivist group called "HomeLand Justice" claimed credit, though the U.S. Government ultimately attributed the attack to Iranian actors.

State actors are also compromising the critical infrastructure of NATO members in preparation for future disruptions, even as they demonstrate their ability to carry out complex attacks on highly sensitive operational technology systems in Ukraine. This activity proves these actors have the means and motive to disrupt NATO's critical infrastructure.

In addition to cyberattacks from state actors, disruptions by hacktivists and criminal actors are no longer a nuisance that can be easily ignored. A global resurgence of hacktivists has led to significant attacks against the public and private sector, and criminal activity has become so devastating it has risen to the level of a national security concern.

APT44 (Sandworm, FROZENBARENTS)


APT44 has been involved in many of the most high-profile disruptive cyberattacks in the world, including the global destructive attack NotPetya, attacks on the Pyeongchang Olympic games, and several blackouts in Ukraine. The actor, which is tied to Russian military intelligence, has carried out technically complex disruptions of sensitive operational technology as well as destructive attacks with broad effects. The majority of disruptive attacks in Ukraine have been attributed to APT44, and the actor has been connected to limited attacks in NATO countries since the war began.

In October 2022, an actor believed to be APT44 deployed PRESSTEA (aka Prestige) ransomware against logistics entities in Poland and Ukraine. The ransomware could not be unlocked and effectively acted as a destructive attack; activity may have been designed to signal the group's ability to threaten supply lines transiting lethal aid to Ukraine. By this operation, APT44 has shown a willingness to use a disruptive capability intentionally against a NATO member country, which reflects the group's penchant for risk taking.

Hacktivists


A global resurgence of politically motivated hacking, or hacktivism, is largely tied to geopolitical flashpoints like the Russian invasion of Ukraine. Despite a strong focus on NATO member states, these actors have had inconsistent effects. Many operations fail to cause lasting disruptions and are ultimately designed to garner attention and create a false impression of insecurity.

Despite their limitations, these actors cannot be completely ignored. Their attacks regularly garner media attention in target countries, and their methods could create serious consequences under the right circumstances. Distributed denial-of-service (DDOS) attacks, one of their most preferred methods, are relatively superficial, but could be leveraged during events such as elections for greater impact. Furthermore, some hacktivists, such as the pro-Russian group Cyber Army Russia Reborn (CARR), are experimenting with more substantial attacks on critical infrastructure. CARR, which has murky ties to APT44, has disrupted water supplies at U.S., Polish, and French facilities in a series of simple but brash incidents.

Cyber Criminals


Financially motivated disruptions caused by ransomware are already causing severe consequences across critical infrastructure in NATO states, leading to patient care disruptions in hospitals, energy shortages, and government services outages. While some criminals have vowed to avoid targeting this critical infrastructure, many remain undeterred. Healthcare institutions in the U.S. and Europe have been repeatedly targeted by both Russian-speaking criminals seeking financial gain and North Korean state actors aiming to fund their espionage activities. The ability of these actors to operate from jurisdictions with lax cyber crime enforcement or extradition agreements, coupled with the lucrative nature of ransomware attacks, suggests that this threat will continue to escalate in the near future.

Disinformation and Information Operations


Information operations have become a consistent feature of cyber threat activity in the last decade, steadily growing as conflicts and geopolitical strain has intensified. These operations encompass a wide range of tactics, from "troll farm" social media manipulation to complex schemes involving network intrusions. Russian and Belarusian information operations have particularly targeted NATO member states, primarily aiming to undermine the Alliance's unity and objectives.

Some cyber espionage actors who are predominantly focused on covert intelligence collection also engage in information operations. Groups such as APT28 and COLDRIVER have publicly leveraged stolen information in hack-and-leak campaigns, while other actors, such as UNC1151, have employed their intrusion capabilities in other complex information operations. These efforts aim to manipulate public opinion, sow discord, and advance political agendas through the dissemination of false and misleading information.

At Google, we have worked aggressively across products, teams, and regions to counter these activities where they violate our policies and disrupt overt and covert information operations campaigns. Examples of this enforcement include disruption of YouTube channels, blogs, AdSense accounts, and domains removed from Google News surfaces, as we report on a quarterly basis in the TAG Bulletin.

Prigozhin's Information Operations Survive


Despite the death of their sponsor, remnants of deceased Russian businessman Yevgeniy Prigozhin's disinformation empire are still functioning, albeit much less effectively. These surviving campaigns continue to promote disinformation and other pro-Russia narratives on multiple social media platforms, most recently with an emphasis on alternative platforms, across multiple regions.

The narratives propagated by these operations call for NATO's dismantlement and imply that the Alliance is a source of global instability. They also criticize the leaders of NATO member states. Major geopolitical developments, such as the launch of Russia's full-scale invasion of Ukraine in 2022 and other Russian strategic priorities, significantly influence the content promoted by these campaigns. The ongoing support of NATO and its member states for Ukraine has made the Alliance a prime target both directly and indirectly through its involvement in issues perceived as challenging to Russia's strategic interests.

Ghostwriter/UNC1151


The Ghostwriter information operations campaign, at least partially linked to Belarus, has been active since at least 2016, primarily targeting Belarus's neighbors: Lithuania, Latvia, Poland, and to a lesser extent, Ukraine. The campaign receives technical support from UNC1151, a cyber espionage group known for its malicious activities. Ghostwriter, notorious for its cyber-enabled influence operations, has consistently prioritized the promotion of anti-NATO narratives. In April 2020, for example, a Ghostwriter operation falsely claimed that NATO troops were responsible for bringing COVID-19 to Latvia.

Ghostwriter activity has sought to undermine regional governments and their security cooperation. This includes operations that leveraged the compromised social media accounts of notable Polish individuals to promote content attempting to tarnish the reputation of Polish politicians, including through the dissemination of potentially compromising photographs. Since 2022, observed Ghostwriter operations have maintained these established campaign objectives while also expanding narratives to include the Russian invasion. In April 2023, for example, a Ghostwriter operation alleged that Poland and Lithuania were recruiting their residents to join a multinational brigade that would deploy to Ukraine.

COLDRIVER


COLDRIVER is a Russian cyber espionage actor that has been publicly linked to Russia's domestic intelligence agency, the Federal Security Service (FSB). The actor regularly carries out credential phishing campaigns against high-profile individuals in non-governmental organizations (NGOs) as well as former intelligence and military officers. Notably, information COLDRIVER stole from victim mailboxes has been used in hack-and-leak operations. Information stolen by COLDRIVER was leaked in 2022 in an effort to exacerbate Brexit-related political divisions in UK politics. Prior to that incident, the actor leaked details of U.S.-UK trade agreements ahead of the 2019 UK election. COLDRIVER primarily targets NATO countries and shifted in 2022 to include the Ukrainian Government and organizations supporting the war in Ukraine. March 2022 also marked the first time COLDRIVER campaigns targeted the military of multiple European countries as well as a NATO Centre of Excellence.

Outlook


Unlike many other domains of conflict, the cyber realm is characterized by aggressive activity that persists irrespective of a state of armed conflict. Nevertheless, geopolitics are an important driver of this activity. Significantly, the Russian invasion of Ukraine has coincided with bolder and reckless cyber activity against NATO allies. These threats are unlikely to abate in the near future.

The effects of malicious cyber activity are broad; cyber threats have the potential to affect NATO allies and partners from the political-military arena to the economic and societal underpinnings of the Alliance. Countering these threats, like everything NATO does, requires a collective commitment to defense. NATO must rely on collaboration with the private sector in the same way it draws on the strength of its constituent members. Furthermore, it must harness its greatest advantage against cyber threats the technological capability of the private sector to seize the initiative in cyberspace from NATO's adversaries.



Published: 2024-07-08T14:00:00













© Ethical Hacking News . All rights reserved.

Privacy | Terms of Use | Contact Us