Eastern and Northern Europe on the front lines of the cyber conflict
A new attack geography has taken shape over the last 12 months. At the very beginning of the conflict, the majority of incidents only affected Ukraine (50.4% in the first quarter of 2022 versus 28.6% in the third quarter), but EU countries have seen a sharp increase in conflict-related incidents in the last six months (9.8% versus 46.5% of global attacks).
In the summer of 2022, there were almost as many conflict-related incidents in EU countries as there were in Ukraine (85 versus 86), and in the first quarter of 2023, the overwhelming majority of incidents (80.9%) have been inside the European Union.
Candidates for European integration such as Montenegro and Moldova are being increasingly targeted (0.7% of attacks in the first quarter of 2022 versus 2.7% at the end of 2022) and Poland is under constant harassment, with a record number of 114 incidents related to the conflict over the past year. War hacktivists have specifically targeted the Baltic countries (157 incidents in Estonia, Latvia and Lithuania) and Nordic countries (95 incidents in Sweden, Norway, Denmark and Finland). Germany saw 58 incidents in the past year, but other European countries have been relatively spared, such as France (14 attacks), the UK (18 attacks), Italy (14 attacks) and Spain (4 attacks).
“In the third quarter of 2022, Europe was dragged into a high-intensity hybrid cyber-war at a turning point in the conflict, with a massive wave of DDoS attacks, particularly in the Nordic and Baltic countries and Eastern Europe. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.” Pierre-Yves Jolivet, VP Cyber Solutions, Thales.
From war hacktivists to cyber-harassment
Of all cyber-attacks reported worldwide since the start of the conflict, 61% were perpetrated by pro-Russian hacktivist groups, and in particular by Anonymous Russia, KillNet and Russian Hackers Teams, which have emerged since the start of the conflict to mirror the efforts of Ukrainian IT Army hacktivists early in the war. These new groups are more structured and use the type of resources favoured by organised cybercrime groups, including botnet-as-a-service2 resources such as Passion Botnet, with the aim of cyber-harassing Western countries that support Ukraine. These groups of independent, civilian hacktivists have emerged as a new component in the conflict. They can be assimilated to a cybercriminal group with specific political objectives and interests, acting out of conviction yet not directly sponsored by any government. Members of such groups have a broad array of origins, technical skills and backgrounds.
The third quarter of 2022 marked a transition to a wave of DDoS attacks, in contrast to the first quarter of 2022, which saw a range of different kinds of attacks, divided more or less equally among data leaks and theft, DDoS attacks, espionage, influence campaigns, intrusion, ransomware, phishing, wiper and infostealer attacks3. Cyber attackers have since favoured DDoS attacks (75%) against companies and governments. This systematic harassment often has a low operational impact but sustains a climate of anxiety among security teams and decision-makers. Their objective is not to have a major operational impact but to harass targets and discourage them from supporting Ukraine.
On the other end of the spectrum, wiper attacks can destroy an adversary’s systems, and long-term espionage can undermine the integrity of an adversary’s security apparatus, but such techniques take much longer to prepare and require more resources. Destructive cyber-military operations, along with espionage, account for only 2% of the total number of incidents and are mainly targeted at Ukrainian public-sector organisations.
Russian authorities regularly use cyber to harass their adversaries without engaging in direct confrontation.
Acts of cyber warfare are still taking place in Ukraine – as we saw with the ATK256 (UAC-0056) attack against several Ukrainian public bodies on the anniversary of the conflict (February 23, 2023 ) – yet they are drowned out in the eyes of Westerners by constant cyber harassment.
Thales’s contribution to the protection of critical infrastructure
Thales provides cybersecurity solutions for nine of the top ten Internet giants and helps to protect the information systems of more than 130 government agencies and essential services providers. With more than 3,500 cybersecurity experts, the company provides governments and critical infrastructure operators with integrated incident detection and response solutions, including cyber threat intelligence, sovereign probes, Security Operation Centres and encryption systems to prevent data breaches. Organised around three families of products and services – sovereign products, data protection platforms and cybersecurity services – the Group’s portfolio of cyber solutions generated a combined total of more than 1.5 billion euros in sales in 2022.