NATO Warns Russia Over Cyber Activity

Synopsis

1. NATO is warning Russia that its cyber attacks are crossing lines. NATO members and Allies issued their statements due to attacks on their countries. Russia has continued to launch cyber attacks on any country supporting Ukraine while continuing its cyber attacks on Ukraine. Ukraine continues to attack Russia’s Internet. 

2. Russia vs Ukraine cyberwar. Russia appears to be committed to the following ongoing ‘Course of Action’ for its cyber forces:

Russian cyber forces, including allied and supporting hackers, continue to launch campaigns against Ukrainian targets, including perceived Ukrainian allies. Targeting Includes critical infrastructure, industrial infrastructure, political, and media organizations as well as targets of opportunity. 

Russia vs NATO

3. NATO Responds to Russian Cyber Attacks: NATO released ‘Statements’ on 2nd and 3rd of May indicating ‘deep concern’ and ‘commitment to countering’ Russia’s recent activities. These statements specifically address the activities of Russia’s ATP28, who works for the Russian General Staff Main Intelligence Directorate (GRU).

    • The 2nd May statement reads (in part): “NATO Allies express their deep concern over Russia’s hybrid actions” … “includes sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations” … “We will continue to boost our resilience and to apply and enhance the tools at our disposal to counter and contest Russian hybrid actions.”1      

    • The 3rd May statement focuses on Russia’s cyber activities. “We strongly condemn malicious cyber activities intended to undermine our democratic institutions, national security and free society. The malicious cyber activities targeting Germany and Czechia underscore that cyberspace is contested at all times. Cyber threat actors persistently seek to destabilize the Alliance.” … “Allies also note with concern that the same threat actor (ATP28) targeted other national governmental entities, critical infrastructure operators and other entities across the Alliance, including in Lithuania, Poland, Slovakia and Sweden.” … “We remain committed to countering the substantial, continuous and increasing cyber threat, including to our democratic systems and our critical infrastructure. We are determined to employ the necessary capabilities in order to deter, defend against and counter the full spectrum of cyber threats to support each other, including by considering coordinated responses.”2

4. The NATO warnings follow several months of ongoing cyber attacks by ‘apparent pro-Russia hacktivists’ on Industrial Control Systems (ICS) and Operational Technology (OT) systems in Europe and North America. Sectors targeted include: “water and wastewater systems (WWS), dams, energy, and food and agriculture.”3 

5. Several NATO members issued their own statements, also on 3rd May:

    • Germany: The German government denounced APT28 for a cyberattack against the SPD political party. “We can now clearly attribute the attack to the Russian group APT28, which is controlled by the Russian military intelligence service GRU,”… “In other words, Russian state hackers have attacked Germany in cyberspace,” … “This is completely unacceptable and will not remain without consequences.”4 Germany took a very strong diplomatic position, summoning Russia’s representative, and then recalling its own Russian ambassador for talks.      

    • Czechia: Ministry of Foreign Affairs (MFA): “[Czechia] strongly condemns activities of the Russian state-controlled actor APT28, who has been conducting a long-term cyber espionage campaign in European countries.”   

    • UK: “The United Kingdom has joined with its international partners to condemn malicious cyber activity by the Russian Intelligence Services.”  

    • EU: “[The EU and member states] strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.”5

6. Russia appears to be confident that NATO, its members and allies, will not respond to cyber attacks, including cyber espionage.

    • Network performance management provider ‘Netscout’ reports that Sweden has been facing a steadily increasing number of cyber attacks, mostly DDoS attacks, from Russia. After Hungary approved Sweden’s joining NATO “Netscout recorded 1524 simultaneous DDoS attacks targeting Swedish organizations.” On 4th March 2024, the number of attacks peaked at 2275. “Groups involved in these attacks included the Russian-aligned hacker groups NoName057, Anonymous Sudan, Russian Cyber Army Team, and Killnet,”6

    • In early May, the cyber security company ‘Insikt Group’ identified a new Russian campaign using Artificial Intelligence (AI) “to plagiarize, translate, and edit content from legitimate mainstream media outlets.” The campaign ‘CopyCop’ “extensively used generative AI to … tailor political messages with specific biases.” The resulting material was used in “inauthentic media outlets in the US, UK, and France.” Content includes pro-Russian perspectives on Ukraine, critical commentary on Israel vs Gaza, as well as support for U.S. Republican candidates while ‘disparaging’ Democrats.7 The campaign is being tracked a ‘GhostWriter’.

    • On 8th May, Russia’s APT28 was identified as the attacker ‘targeting Polish government institutions’. CERT Polska (Poland’s Computer Emergency Response Team) said the hackers had launched a large-scale email phishing campaign. The user who followed the links would have a ‘backdoor’ installed on their computer, enabling cyber espionage and sabotage.8 

    • On 10th May, a Republic of Kosovo government spokesperson reported that websites were ‘temporarily unavailable’ due to ‘repeated’ cyber attacks (DDoS attacks) against the websites of the president and prime minister.9 

    • On 13th May, Security Affairs reported that Russian hackers had defaced ‘Local British News Sites’. The attackers “defaced numerous local and regional British newspaper websites owned by Newsquest Media Group” with “PERVOKLASSNIY RUSSIAN HACKERS ATTACK” while claiming to be “first-class Russian hackers”. The target was ‘Newsquest Media Group Limited’, the second-largest publisher of regional and local newspapers in the United Kingdom. This attack is assessed as part of the ‘GhostWriter’ campaign.10 

7. Analysts Comment: In NATO’s 3rd May press release, the phrase “deter, defend against and counter the full spectrum of cyber threats” sounds good. Unfortunately it may be too little too late as Russia’s cyber forces are already engaged. APT28, a Russian government hacking team, was identified as having ‘broken the rules’, but there has been no specific response to either the unit or their activities. Putin is assessed as unlikely to order a slow-down or change in cyber operations. NATO has not said how (or if) it will respond if a Russia allied criminal or ‘patriotic’ hacking group crosses a NATO ‘red line’. Russia continues to recruit criminal hacking groups as well as disaffected English-speaking hackers, already resident in the west. It is assessed that Russia will continue to increase the operational tempo of all its cyber forces. From Putin’s perspective, those forces are relatively inexpensive to operate, fairly effective at disturbing the political status quo in the west, as well as capable of causing significant damage to western critical infrastructure.

Russia vs Ukraine

8. Ukrainian ‘Monobank’ Receives DDoS Attack: Russian hackers have again attempted to shut down a Ukrainian bank by a Distributed Denial of Service (DDoS) attack. On 2nd May, Oleh Horokhovskyi, co-founder and CEO of Ukraine’s largest mobile-exclusive bank Monobank, was subject to “another powerful DDoS attack” around 1 p.m. local time that day.11 Although the attack was larger than typical, there appears to have been minimal disruptions to bank operations. 

9. Ukraine Attacks Russian Internet Service Providers: Ukraine’s Main Intelligence Directorate (HUR) launched a cyber attack on 2nd May, targeting internet providers and mobile operators in Tatarstan, supplier to over 30 facilities including several critical defense industry enterprises. “The DDoS attack successfully disrupted internet service … affecting major telecommunications providers such as MTS, TATTelecom, and the regional operator Ufanet.” Russian users on 3rd May observed “a lack of internet access, with web resources … becoming non-operational.”12

10. Following the Tatarstan attack, on 7th May, Ukrainian cyber specialists “disabled the Russian online services of the 1C company, which specializes in supporting and developing computer programs for maintaining business databases.” … this includes disabling “the resources of the corporate cloud provider Cloud4y and the remote work server of 1C — Scloud.”13

11. Since 12th May Ukraine has been running a DDoS attack “on Internet and communications service providers in the Russian Belgorod region.” … “Internet networks providing services for local government and military institutions were blocked. The main Internet provider, Luchshe.Net, and the websites of the local authorities and the government of Belgorod were also disabled.”14

How NOT To Pay Ransomware

12. In the UK, the National Cyber Security Centre (NCSC) has formed a coalition with insurance associations. Their guidance book provides detailed advice on how organizations can avoid paying ransoms. The advice isn’t ‘novel’ but is a tool to help manage a highly stressful situation effectively.15