The cyber threats facing NATO: Google shares threat intel as leaders meet in Washington
Threat actors may be preparing to attack critical infrastructure (if they haven't started already), researcher warns
NATO is facing a "barrage of malicious cyber activity" as "emboldened" state-sponsored actors, hacktivists, and criminals "cross lines and carry out activity that was previously considered unlikely or inconceivable," Google Cloud has warned.
As NATO leaders gather in Washington for its annual summit today, Google released a threat intelligence briefing detailing the risks facing the Alliance, ranging from espionage to disruption and misinformation campaigns.
"NATO must contend with covert, aggressive malicious cyber actors that are seeking to gather intelligence, preparing to or currently attacking critical infrastructure, and working to undermine the Alliance," wrote John Hultquist, Chief Analyst at Google-owned Mandiant Intelligence.
"Successful cyber espionage from threat actors could potentially undermine the Alliance's strategic advantage and inform adversary leadership on how to anticipate and counteract NATO's initiatives and investments," the analyst added.
Cyber espionage threat actors from across the world are now targeting NATO states, Google's report warned. State-backed actors from Russia and China are specifically called out for their intrusions against NATO members.
It noted that APT29, a group publicly attributed to the Russian Foreign Intelligence Service, is "heavily focused on diplomatic and political intelligence collection, principally targeting Europe and NATO member states."
See also: Russian group hacks emails of Microsoft’s “senior leadership” and cybersecurity staff
APT29 is also adept at functioning in cloud environments and "has a long history of spear-phishing campaigns against NATO members with a focus on diplomatic entities." The threat actor's "likely objective" is the collection of information on future government policy.
When it comes to disruptive state-backed actors, the report spotlighted APT49, which is tied to Russian Military intelligence and believed to have been involved in "many of the most high-profile disruptive cyberattacks in the world, including the global destructive attack NotPetya, attacks on the Pyeongchang Olympic games, and several blackouts in Ukraine."
The threat actor has also been blamed for deploying Prestige ransomware against logistics entities in Poland and Ukraine.
China's cyber espionage has involved the targeting of the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure. The analyst said these actors use operational relay box (ORB) networks and living-off-the-land techniques to prevent detection.
"Cyber espionage activity from China has undergone significant evolution in recent years, transitioning away from loud, easily attributed operations to a greater focus on stealth," he wrote.
Along with state-backed cyber espionage, NATO members also have to contend with the rising risk of disruptions from hacktivists and cyber criminals.
Hacktivist activity clusters around geopolitical flashpoints, such as Russia's invasion of Ukraine. They tend to rely on tactics that are relatively easy to defend against, such as DDoS attacks.
However, their impact is not always limited. "Some hacktivists, such as the pro-Russian group Cyber Army Russia Reborn (CARR), are experimenting with more substantial attacks on critical infrastructure," the report stated.
"CARR, which has murky ties to APT44, has disrupted water supplies at U.S., Polish, and French facilities in a series of simple but brash incidents," it continued.
See also: Ransomware earns scumbags $1 billion in 2023
Attacks from financially motivated cybercriminals have led to hospital patient care disruptions, energy shortages, and government service outages, the report continued.
Cyber operations involving information and misinformation are becoming more common, too, especially as several nations hold elections this year.
"These operations encompass a wide range of tactics, from troll farm social media manipulation to complex schemes involving network intrusions," Google wrote.
"In order to protect its customers and clients, Google is closely tracking cyber threats, including those highlighted in this report; however, this is just a glimpse at a much larger and evolving landscape."