Emboldened and Evolving: A Snapshot of Cyber Threats Facing NATO
Mandiant
Written by: John Hultquist
As North Atlantic Treaty Organization (NATO) members and partners gather for a historic summit, it is important to take stock of one of its most pressing challenges—the cyber threat. The Alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable. In addition to military targets, NATO must consider the risks that hybrid threats like malicious cyber activity pose to hospitals, civil society, and other targets, which could impact resilience in a contingency. The war in Ukraine is undoubtedly linked to escalating cyber threat activity, but many of these threats will continue to grow separately and in parallel.
NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance with elaborate disinformation schemes. In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape.
Cyber Espionage
NATO's adversaries have long sought to leverage cyber espionage to develop insight into the political, diplomatic, and military disposition of the Alliance and to steal its defense technologies and economic secrets. However, intelligence on the Alliance in the coming months will be of heightened importance. This year's summit is a transition period, with the appointment of Mark Rutte as the new Secretary General and a number of adaptations expected to be rolled out to shore up the Alliance's defense posture and its long-term support for Ukraine. Successful cyber espionage from threat actors could potentially undermine the Alliance's strategic advantage and inform adversary leadership on how to anticipate and counteract NATO's initiatives and investments.
NATO is targeted by cyber espionage activity from actors around the world with varying capabilities. Many still rely on technically simple but operationally effective methods, like social engineering. Others have evolved and elevated their tradecraft to levels that distinguish themselves as formidable adversaries for even the most experienced defenders.
APT29 (ICECAP)
Publicly attributed to the Russian Foreign Intelligence Services (SVR) by several governments, APT29 is heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states. APT29 has been involved in multiple high-profile breaches of technology firms that were designed to provide access to the public sector. In the past year, Mandiant has observed APT29 targeting technology companies and IT service providers in NATO member countries to facilitate third-party and software supply chain compromises of government and policy organizations.The actor is extremely adept in cloud environments and particularly focused on covering their tracks, making them hard to detect and track, and especially difficult to expel from compromised networks.
APT29 also has a long history of spear-phishing campaigns against NATO members with a focus on diplomatic entities. The actor has successfully breached executive agencies across Europe and the U.S. on several occasions. We have also seen them actively targeting political parties in Germany as well as in the U.S. with the likely objective of collecting intelligence on future government policy.
Cyber Espionage from China
Cyber espionage activity from China has undergone significant evolution in recent years, transitioning away from loud, easily attributed operations to a greater focus on stealth. Technical investments have amplified the challenge to defenders and bolstered successful campaigns against government, military, and economic targets in NATO member states.
Chinese cyber espionage increasingly features techniques such as:
- Targeting of the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to reduce opportunities for defender detection. By relying less on social engineering, these operators have reduced the likelihood of being identified by users or related controls. In 2023, these actors exploited 12 zero-days (software or hardware vulnerabilities that are unknown to the vendor, have no patch or fix available, and can be exploited before they can be addressed), many of which were in security products that reside on the network edge. These products often lack the ability for endpoint detection, making them an ideal beachhead in compromised networks.
- The use of operational relay box (ORB) networks to hide the origin of malicious traffic. Threat actors hide their malicious traffic through proxies, which act as intermediaries between them and the internet, but these proxies can be reliably tracked. Actors are now leveraging large ephemeral networks of shared and compromised proxies known as ORBs. These networks are very difficult to track and complicate the ability for defenders to share intelligence on infrastructure.
- Living off the land to reduce opportunities for defender detection. Some actors are forgoing the use of malware and leveraging other methods to conduct intrusions. Living-off-the-land techniques use legitimate tools, features, and functions available in the system to traverse networks and carry out malicious activity. Defenders are at a serious disadvantage without the ability to detect malware and are less able to share intelligence on related activity.
These techniques are not only leveraged by Chinese threat actors. Russian actors such as APT29, APT28, and APT44 have used them as well.
Disruptive and Destructive Cyberattacks
Disruptive and destructive cyberattacks are on the rise, posing direct and indirect consequences to the NATO alliance. In recent years, Iranian and Russian state actors have demonstrated a willingness to carry out these attacks on NATO members, though they have hidden their hands behind false fronts who publicly take credit for the operations. For example, Mandiant described a 2022 destructive attack against the government of Albania for which an alleged hacktivist group called "HomeLand Justice" claimed credit, though the U.S. Government ultimately attributed the attack to Iranian actors.
State actors are also compromising the critical infrastructure of NATO members in preparation for future disruptions, even as they demonstrate their ability to carry out complex attacks on highly sensitive operational technology systems in Ukraine. This activity proves these actors have the means and motive to disrupt NATO's critical infrastructure.
In addition to cyberattacks from state actors, disruptions by hacktivists and criminal actors are no longer a nuisance that can be easily ignored. A global resurgence of hacktivists has led to significant attacks against the public and private sector, and criminal activity has become so devastating it has risen to the level of a national security concern.
APT44 (Sandworm, FROZENBARENTS)
APT44 has been involved in many of the most high-profile disruptive cyberattacks in the world, including the global destructive attack NotPetya, attacks on the Pyeongchang Olympic games, and several blackouts in Ukraine. The actor, which is tied to Russian military intelligence, has carried out technically complex disruptions of sensitive operational technology as well as destructive attacks with broad effects. The majority of disruptive attacks in Ukraine have been attributed to APT44, and the actor has been connected to limited attacks in NATO countries since the war began.
In October 2022, an actor believed to be APT44 deployed PRESSTEA (aka Prestige) ransomware against logistics entities in Poland and Ukraine. The ransomware could not be unlocked and effectively acted as a destructive attack; activity may have been designed to signal the group's ability to threaten supply lines transiting lethal aid to Ukraine. By this operation, APT44 has shown a willingness to use a disruptive capability intentionally against a NATO member country, which reflects the group's penchant for risk taking.
Hacktivists
A global resurgence of politically motivated hacking, or hacktivism, is largely tied to geopolitical flashpoints like the Russian invasion of Ukraine. Despite a strong focus on NATO member states, these actors have had inconsistent effects. Many operations fail to cause lasting disruptions and are ultimately designed to garner attention and create a false impression of insecurity.
Despite their limitations, these actors cannot be completely ignored. Their attacks regularly garner media attention in target countries, and their methods could create serious consequences under the right circumstances. Distributed denial-of-service (DDOS) attacks, one of their most preferred methods, are relatively superficial, but could be leveraged during events such as elections for greater impact. Furthermore, some hacktivists, such as the pro-Russian group Cyber Army Russia Reborn (CARR), are experimenting with more substantial attacks on critical infrastructure. CARR, which has murky ties to APT44, has disrupted water supplies at U.S., Polish, and French facilities in a series of simple but brash incidents.
Cyber Criminals
Financially motivated disruptions caused by ransomware are already causing severe consequences across critical infrastructure in NATO states, leading to patient care disruptions in hospitals, energy shortages, and government services outages. While some criminals have vowed to avoid targeting this critical infrastructure, many remain undeterred. Healthcare institutions in the U.S. and Europe have been repeatedly targeted by both Russian-speaking criminals seeking financial gain and North Korean state actors aiming to fund their espionage activities. The ability of these actors to operate from jurisdictions with lax cyber crime enforcement or extradition agreements, coupled with the lucrative nature of ransomware attacks, suggests that this threat will continue to escalate in the near future.
Disinformation and Information Operations
Information operations have become a consistent feature of cyber threat activity in the last decade, steadily growing as conflicts and geopolitical strain has intensified. These operations encompass a wide range of tactics, from "troll farm" social media manipulation to complex schemes involving network intrusions. Russian and Belarusian information operations have particularly targeted NATO member states, primarily aiming to undermine the Alliance's unity and objectives.
Some cyber espionage actors who are predominantly focused on covert intelligence collection also engage in information operations. Groups such as APT28 and COLDRIVER have publicly leveraged stolen information in hack-and-leak campaigns, while other actors, such as UNC1151, have employed their intrusion capabilities in other complex information operations. These efforts aim to manipulate public opinion, sow discord, and advance political agendas through the dissemination of false and misleading information.
At Google, we have worked aggressively across products, teams, and regions to counter these activities where they violate our policies and disrupt overt and covert information operations campaigns. Examples of this enforcement include disruption of YouTube channels, blogs, AdSense accounts, and domains removed from Google News surfaces, as we report on a quarterly basis in the TAG Bulletin.
Prigozhin's Information Operations Survive
Despite the death of their sponsor, remnants of deceased Russian businessman Yevgeniy Prigozhin's disinformation empire are still functioning, albeit much less effectively. These surviving campaigns continue to promote disinformation and other pro-Russia narratives on multiple social media platforms, most recently with an emphasis on alternative platforms, across multiple regions.
The narratives propagated by these operations call for NATO's dismantlement and imply that the Alliance is a source of global instability. They also criticize the leaders of NATO member states. Major geopolitical developments, such as the launch of Russia's full-scale invasion of Ukraine in 2022 and other Russian strategic priorities, significantly influence the content promoted by these campaigns. The ongoing support of NATO and its member states for Ukraine has made the Alliance a prime target both directly and indirectly through its involvement in issues perceived as challenging to Russia's strategic interests.
Ghostwriter/UNC1151
The Ghostwriter information operations campaign, at least partially linked to Belarus, has been active since at least 2016, primarily targeting Belarus's neighbors: Lithuania, Latvia, Poland, and to a lesser extent, Ukraine. The campaign receives technical support from UNC1151, a cyber espionage group known for its malicious activities. Ghostwriter, notorious for its cyber-enabled influence operations, has consistently prioritized the promotion of anti-NATO narratives. In April 2020, for example, a Ghostwriter operation falsely claimed that NATO troops were responsible for bringing COVID-19 to Latvia.
Ghostwriter activity has sought to undermine regional governments and their security cooperation. This includes operations that leveraged the compromised social media accounts of notable Polish individuals to promote content attempting to tarnish the reputation of Polish politicians, including through the dissemination of potentially compromising photographs. Since 2022, observed Ghostwriter operations have maintained these established campaign objectives while also expanding narratives to include the Russian invasion. In April 2023, for example, a Ghostwriter operation alleged that Poland and Lithuania were recruiting their residents to join a multinational brigade that would deploy to Ukraine.
COLDRIVER
COLDRIVER is a Russian cyber espionage actor that has been publicly linked to Russia's domestic intelligence agency, the Federal Security Service (FSB). The actor regularly carries out credential phishing campaigns against high-profile individuals in non-governmental organizations (NGOs) as well as former intelligence and military officers. Notably, information COLDRIVER stole from victim mailboxes has been used in hack-and-leak operations. Information stolen by COLDRIVER was leaked in 2022 in an effort to exacerbate Brexit-related political divisions in UK politics. Prior to that incident, the actor leaked details of U.S.-UK trade agreements ahead of the 2019 UK election. COLDRIVER primarily targets NATO countries and shifted in 2022 to include the Ukrainian Government and organizations supporting the war in Ukraine. March 2022 also marked the first time COLDRIVER campaigns targeted the military of multiple European countries as well as a NATO Centre of Excellence.
Outlook
Unlike many other domains of conflict, the cyber realm is characterized by aggressive activity that persists irrespective of a state of armed conflict. Nevertheless, geopolitics are an important driver of this activity. Significantly, the Russian invasion of Ukraine has coincided with bolder and reckless cyber activity against NATO allies. These threats are unlikely to abate in the near future.
The effects of malicious cyber activity are broad; cyber threats have the potential to affect NATO allies and partners from the political-military arena to the economic and societal underpinnings of the Alliance. Countering these threats, like everything NATO does, requires a collective commitment to defense. NATO must rely on collaboration with the private sector in the same way it draws on the strength of its constituent members. Furthermore, it must harness its greatest advantage against cyber threats—the technological capability of the private sector—to seize the initiative in cyberspace from NATO's adversaries.