A significant increase in cyber threats against NATO has been observed, primarily linked to the ongoing Russo-Ukraine war. However, the perpetrators extend beyond Russia, targeting NATO technologies and defense secrets from various non-aligned nations, according to a new report from Google-owned threat intelligence firm Mandiant.
The primary adversaries include Russian and Chinese state actors, financially motivated cybercriminals, and politically driven hacktivists. The report highlights three Russian state actors as significant threats:
APT29 (focuses on intelligence collection),COLDRIVER (engages in disinformation campaigns), and APT44 aka Sandworm (conducts disruptive cyberattacks).
Hacktivist campaigns, often linked to geopolitical flashpoints like the Russian invasion of Ukraine, also pose a significant threat. While these actors have had inconsistent effects, their operations are designed to create a false impression of insecurity and garner attention. Though many fail to cause lasting disruptions, their attacks regularly capture media attention in target countries, posing potential risks under the right circumstances.
Distributed denial-of-service (DDOS) attacks are among the most preferred methods used by these actors. Though relatively superficial, these attacks could be leveraged during events such as elections for greater impact. For instance, pro-Russian group Cyber Army Russia Reborn (CARR) is experimenting with more substantial attacks on critical infrastructure. Previously, CARR, which has ties to APT44, has disrupted water supplies at facilities in the US, Poland, and France in a series of incidents.
Ransomware attacks by financially motivated cybercriminals are causing severe disruptions across critical infrastructure in NATO states, impacting patient care in hospitals, causing energy shortages, and leading to government service outages, the report notes. Russian-speaking criminals and North Korean state actors are repeatedly targeting healthcare institutions in the US and Europe to fund their espionage activities.
Another growing threat is information operations that have become a consistent feature of cyber threats over the last decade. These operations employ a range of tactics, from social media manipulation by “troll farms” to complex network intrusion schemes. Russian and Belarusian operations have particularly targeted NATO member states, aiming to undermine the Alliance's unity and objectives.
Some cyber espionage actors also engage in information operations. For instance, groups such as APT28 and COLDRIVER have used stolen information in hack-and-leak campaigns, while others, like UNC1151, have used their intrusion capabilities in complex information operations.
The Ghostwriter information operations campaign, linked to Belarus and supported by UNC1151, has targeted Belarus's neighbors, including Lithuania, Latvia, Poland, and Ukraine, promoting anti-NATO narratives.
Ghostwriter's activities have sought to undermine regional governments and their security cooperation. The campaign has included operations leveraging compromised social media accounts of notable Polish individuals to spread content tarnishing the reputations of Polish politicians. Since 2022, Ghostwriter operations have expanded narratives to include the Russian invasion of Ukraine. In April 2023, for instance, a Ghostwriter operation falsely claimed that Poland and Lithuania were recruiting residents for a multinational brigade to deploy to Ukraine.