State Of The Cyberwar: Threat Actors Escalate Against NATO, Ukrainian Allies

As Russia’s invasion of Ukraine has evolved into a slow, grinding war, an apparent deadlock in cyberspace has led pro-Russian threat actors to turn their attention to foreign targets seen as responsible for keeping Ukraine in the fight. This increase in cyberwarfare activity lining up with Russian objectives has sounded a call within NATO to draw harsher lines and bolster cohesion.

Setting the Stage

Last month, NATO wrapped up its summit in Vilnius, Lithuania. Discussions were had regarding Sweden’s accession to the alliance, as well as some disagreement on the matter of whether or not Ukraine should receive a definite timeline for its own membership.

A portion of the summit focused on an increased need for cooperation between NATO and partner nations for a unified and proactive stance on cyberwarfare. The head of the alliance’s “Cyber and Hybrid Policy” division, Christian-Marc Lifländer, listed a number of concerns and suggestions for both compliance and incident response.

At its present state, Lifländer has expressed a worry that there is still no clear vision for proactive defense in an alliance initially developed for kinetic threats. It’s his belief that the threat is growing, and not enough is being done in what’s considered by NATO a “permanently contested space.”

There’s almost a race to the bottom, whereby investments are not necessarily made, capabilities are not necessarily developed, until something happens. So it’s almost as though you’re going along with this contestation, hoping that you’re not really affected until you are. We have to accept that we have a role to play and figure out what is the acceptable level of violence, if I may say so, that we can live with.

Christian-Marc Lifländer – NATO Cyber and Hybrid Policy Chief

Marius Madescu of the Romanian armed forces and U.S. Army Capt. Joseph Puntoriero, a civil affairs officer with U.S. Special Operations Command Central, engage in scenario play during Exercise Locked Shields 2023 at the Morgantown Readiness Center in Morgantown, W.Va. Photo by Maj. Holli Nelson April 2023

The messaging comes at an intense moment for the war in Ukraine. On the cyber front, there has been severely increased activity of nation-state affiliated threat actors on NATO and Ukrainian-aligned targets.

Mainstream news has been dominated by a number of incidents regarding the security of the Black Sea after the collapse of the Grain Deal and subsequent Russian missile attacks. Mixed messages have been propagated about the nine-week-old Ukrainian counter-offensive, which risks poisoning broad public perception of Ukraine’s chances for the first time since the invasion began.

With so much going on, the cyber domain has unsurprisingly taken a back seat. It’s an oversight that could prove costly.

Shifting Fire From Ukraine To Its Allies

It goes without saying that NATO‘s current cyber engagements are related largely to the war in Ukraine. However, a number of reports in 2022 indicated that Ukraine may, broadly, be winning the cyberwar. Citing Russia’s underwhelming performance in the early days of the invasion, the expectation of a huge attack on a similar scale to 2017’s Petya or NotPetya failed to be met.

Check Point Research indicates that this is certainly not for a lack of effort on Russia’s part, and that there may, in fact, have been a change in strategy altogether on both sides.

To its own credit, Ukraine has been under constant siege by Russian cyberwarfare assets since 2014. The outpouring of international goodwill towards the country after the full-scale invasion kicked off has allowed Ukraine to channel these years of expertise into the IT Army of Ukraine. The organization attracted volunteer hacktivists the world over, and receives marching orders relatively transparently from Ukrainian government affiliates.

None of this can be said for most of Ukraine’s allies.

As time passes, it’s become apparent to Russia’s own volunteers, and perhaps even groups directly tied to the Kremlin, that it may be a better use of their cyberwarfare resources to attack Ukraine’s supporters, instead.

This graph indicates the average number of cyber-attacks on government and military organizations per week. As can be seen, attacks by Ukraine’s supporters against Russia have rapidly outpaced a dwindling number from Russia on Ukraine, itself as of Q3 2022. Image created by Check Point Software Technologies February 2023

Numerous Incidents And Threat Actors, Many Claimed By KillNet

Check Point Research‘s findings have also shown, since the decline in Russia’s cyberattacks in October of last year, there has been a significant increase in attacks on both the US and UK, and an extremely sharp rise against Estonia, Poland, and Denmark.

Following up on the previous graph, this one shows a likely turning point of October 2022 for the shift in pro-Russian hacktivists’ targets. Image created by Check Point Software Technologies February 2023

Much of this work has been done by more decentralized hacktivists than those aligned with IT Army of Ukraine. Organized mostly via Telegram, Russia’s invasion has been supported by numerous patriots, outright cybercriminals for hire, and even groups affiliated with other nation-states, varying in capability and morals. One major hub for this activity has been the Telegram channels associated with a group discussed many times on this blog: KillNet.

While it’s not entirely clear at this point if KillNet gets directives from the Kremlin, they have become the poster child for low-level DDoS and defacement attacks against NATO and pro-Ukrainian targets. Since June of this year, KillNet has publicly shifted to a for-profit model, opened itself up to collaboration with threat actors from other parts of the world, and grown substantially in sophistication after their inclusion. They’ve begun to operate as a sort-of public-facing competitor to the IT Army, though are structured more similarly to a group like GhostSec or Anonymous. Different from either group, however, is that KillNet will go out of its way to claim responsibility for attacks, rather than novel threat actors claiming allegiance to them.

In the past several months, they have asserted an affiliation with a number of other threat actors, which I will opt to highlight independently. Some of the following information comes from this report by Mandiant Intelligence, which demonstrates substantial evidence connecting these dots. While I have a high degree of confidence in Mandiant‘s work, I definitely wouldn’t put it past KillNet and their alleged founder, KillMilk, to take credit for attacks that had nothing to do with them. Considering that the group now operates on a profit model, it would behoove KillNet to muddle the attribution process to gain impressions. In previous Moloch material, KillNet‘s own exaggerated claims of attacking Rheinmetall and SWIFT have made appearances.

Mandiant‘s report also cautions similar suspicion. Examples provided have shown that the group previously claimed involvement by Conti and REvil that were unverifiable, likely to raise its profile.

“…[KillNet‘s] claims often appear to outpace documentable shifts in the collective’s operations.”

Mandiant Intelligence July 2023

With all of those caveats established, the important conclusion was that the number of individual groups has increased, and that the operations being carried out are in lock-step with Russian strategic objectives.

This graph indicates the distribution of KillNet targeting mirrors. Image created by Mandiant July 2023

What’s clear from both reports is that the vast majority of attacks, since Ukraine’s October counteroffensive, have shifted from Ukraine itself to its international partners.

Anonymous Sudan

Anonymous Sudan‘s profile has risen over the past seven months as one of the most aggressive and prolific utilizers of DDoS attacks.

While often discussed in current events as a clearly Russian-backed, KillNet affiliate, Anonymous Sudan began as a religiously and politically motivated hacktivist group claiming to be from Sudan.

Since January 2023, they have been conducting denial-of-service attacks against European countries, targeting Swedish and Danish organizations and critical infrastructure in response to far-right activist, Rasmus Paludan’s actions.

Critical to note, here, and something that gives credibility to some of the accusations of Russian origin: the action they were responding to was an Islamaphobic demonstration that Paludan claimed would only stop when Sweden was admitted to NATO. Furthermore, Paludan’s initial demonstration was sponsored in part by part-time Russia Today/Ruptly employee, Chang Frick. Frick denies that this was at the behest of Moscow, and was in support of his own personal values regarding free speech.

KillNet later claimed Anonymous Sudan as an ally and affiliate. Anonymous Sudan expanded its attacks globally, targeting France, Israel, Australia, India, and the United States. In June 2023, they started extorting victims through Telegram messages while disrupting services with DDoS attacks. Their attacks are characterized by DDoS, UDP, and SYN floods originating from thousands of unique IP addresses, leveraging cloud servers and open proxies. As of June, the group had clashed multiple times with Microsoft, responsible for a number of DDoS attacks against the tech giant and claiming to have conducted a massive data breach.

In a March 2023 report by Trustwave, it was determined that there was nothing to confirm a connection to Sudan by Anonymous Sudan. Trustwave claims that the primary case for such an origin is that the group consistently declares defense of “Islamic values” and against “degeneracy” as the reason behind its actions. This was their reasoning behind attacking the fanfiction hosting site, Archive of Our Own (AO3).

While most of Anonymous Sudan‘s notoriety has come from attacking targets in NATO, or countries directly aligned with Ukraine, this threatens to undersell how much damage the group has been doing to African nations, particularly Kenya. The group has been escalating its attacks against various government services throughout the month of July.

Threat made on the Anonymous Sudan channel. July 27

On a final note regarding Anonymous Sudan, the cyberintelligence blogger, Intelcocktail, was able to conduct an interview with their representative, “Z”. During the interview, he found a number of their behaviors suspicious and seemingly consistent with individuals located in Russia. He was also able to attribute the founding of many of their channels to Russian geolocation and IP addresses, though it is possible that this was obfuscation on their part.

Asylum Ambuscade

Image taken from this article by iZOO logic

Asylum Ambuscade is a cybercrime group engaging in both low-level phishing attacks in order to steal money or cryptocurrency, as well as deeper cyber espionage. Their nature has been harder to pin down, and it seems as though they have been happy to maintain a low-key profile since the invasion of Ukraine started. Their name is not actually derived from some public-facing profile, but from the name ascribed to their first well-documented campaign, wherein the group was to phish Ukrainian military personnel and fake their credentials in order to gather intelligence on the placement of Ukrainian refugees in Europe.

They have been operating since at least 2020. The attribution to Asylum Abuscade rests on the use of a set of tools that included the Sunseed Credential Stealer, which was seen in 2020 to attack bank customers in North America. According to researchers at ESET, this variant of the malware is unavailable on the black market or darkweb, which would indicate that it belongs strictly to this group.

Their espionage campaigns involve spearphishing emails with malicious attachments, including documents exploiting Windows vulnerabilities. The group deploys various downloaders and implant tools, mostly developed in script languages like Lua, AutoHotkey, Tcl, and VBS, to carry out their operations.

Their operations have also targeted cryptocurrency traders in various regions, primarily North America and Europe. They’ve also used this toolset in 2022 against government entities in Europe and Central Asia, specifically Armenia. In 2022, it had been established that they were able to successfully phish over 4,500 victims.

Since March of 2023, there have been indications that an updated version of their malware, was found in phishing emails to various European and NATO governments.

Researchers believe that Asylum Ambuscade is mostly a group committing crimes for-profit that occasionally ventures into cyber espionage on a paid basis. Both types of campaigns share similar compromise chains, tools, and infrastructure with only the mildest modifications. It’s highly likely that the group is a relatively secretive team of cybercriminals, willing to be hired by state interests. Their origin remains unknown for now. While there is no other source that seems to have noted this connection, Infosecurity Magazine indicates a similarity in tactics and goals to threat actors from North Korea.

Cozy Bear/Cloaked Ursa

Cozy Bear, also known as Cloaked Ursa and APT29, is an extremely sophisticated Russian threat actor with a firmly established connection to Kremlin intelligence agencies, specifically the SVR (the Foreign Intelligence Service). They conduct advanced cyber espionage attacks against targets largely in NATO and the European Union. It has been established that they were behind the December 2020 SolarWinds Compromise. Cozy Bear‘s malware toolkit includes various sophisticated tools like HAMMERTOSS, SeaDuke, WellMess, and SUNBURST.

The group employs spear-phishing and infected websites to collect information from diplomatic entities and foreign ministries. Recently, they have shifted their focus to directly target diplomats themselves, with at least 22 foreign missions in Kyiv being affected. One of the group’s most recent phishing campaigns made international headlines when they used the lure of a BMW 5 that actually existed outside of the Polish mission in Kyiv.

The campaign appeared to be as simple as sending the ad to an email list that was largely publicly available, and when the link for “More high quality photos” was clicked, the diplomats were cleverly redirected to malware.

GRU Teams (Sandworm, Fancy Bear, Cadet Blizzard)

In April of last year, Microsoft‘s Digital Security Unit released a special report, with much of its data sampled at the time leading up to the invasion of Ukraine. Part of this report highlighted that some of the threat actors expected to be most active during the conflict were directly associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, a group better known by its Soviet-era abbreviation, the GRU. This is Russia’s primary Military Intelligence apparatus.

This is an important distinction within any framework of discussion for attacks on any countries outside of Ukraine, as it means that Russian military personnel are, proven with confidence, to be actively attacking targets in countries with which they are not at war.

In the time since the report, attribution to these units has become more reliable, and Microsoft has identified what they believe to be an entirely new group, Cadet Blizzard.

Image originally created by Microsoft in April 2022, altered for this article

APT 28, also known as Fancy Bear, has been actively engaging in cyber attacks against a broad array of global targets. Infamously involved with a series of events during the 2016 US presidential election, the group historically has relied on stealing and then leaking data. They have been active in-theater since the beginning of the war, including in the time since the October counteroffensive. Their targets have included numerous infrastructure sectors, military, and security organizations, especially in Transcaucasian and NATO-aligned states. Since the beginning of the invasion, satellite communications, including those provided to Ukraine by the US, have been targeted by conventional Russian forces. One of Fancy Bear‘s highest profile appearances in the war was an attack in April on an unnamed US satellite internet provider. In the months before the incident, CISA distributed a warning about the group’s attempts to deploy malware on CISCO devices, and has broadly pushed SATCOM infrastructure to harden its security posture.

Known as the primary threat actor responsible for the devastating NotPetya attacks in 2017, Sandworm, also recognized as Unit 74455, has continued its destructive activities throughout Ukraine, post-invasion. Sandworm seems to be the GRU‘s most sophisticated actor regarding the use of novel malware with complex applications, though their activities have remained focused on targets in Ukraine as of right now. In February 2022, Sandworm allegedly released the Cyclops Blink malware, enabling backdoor access into network devices and demonstrating their ability to construct potentially large-scale botnets. It has demonstrated its advanced capabilities through a targeted blackout attempt in Ukraine in April 2022 using an Industroyer malware variant. Sandworm was also attributed to an Active Directory vulnerability wiper in January of this year, showcasing their continually advancing methods of attack. Prior to the invasion, their attacks had impacted targets the world over, including major logistics corporations, and government services within South Korea, the Netherlands, and the United Kingdom.

Lastly, the DEV-0586 group, now identified by Microsoft as Cadet Blizzard, was recently linked to the GRU, as well. Cadet Blizzard has been an instrumental player, but attribution remained elusive for much of the war. Their attacks have principally targeted government agencies and IT service providers in Ukraine utilizing credential stealers and a wiper known as “WhisperGate”, unused by the other GRU threat actors.

As of July 2023, Cadet Blizzard has been more active outside of Ukraine than the others, hitting a range of organizations in Europe, Asia, and Latin America as recently as late June. Their use of compromised credentials, web shells, and other off-the-shelf tools demonstrates the group’s unique place among the three identified GRU threat actors.

NoName057(16)

NoName057(16) has been active since March 2022 and has primarily targeted Ukraine and NATO organizations, especially those critical of Russia’s invasion of Ukraine. Their first recorded attacks were against several Ukrainian media organizations in April of last year, and the group’s activity took off.

They are known for conducting Distributed Denial of Service (DDoS) attacks with extreme regularity. Prior to an investigation into the group by SentinelLabs, they would freely publish their tools on GitHub. It would seem that many of their targets are targets of opportunity, sometimes going after every website within a specific sector that they can in a short amount of time. These goals almost always align with the political and strategic goals of the Russian state, and are often in reaction to specific political events, such Poland’s recognition of Russia as a State Sponsor of Terrorism.

In the past twelve hours, they have claimed responsibility for seven targets, mostly in the Spanish banking sector. This marks the third day of Spain being NoName‘s primary target. This comes as a reaction to Spain’s endorsement of a motion to tighten sanctions on Belarus.

The group, known for organizing its campaigns on Telegram, publicly discusses and makes determinations on targets on a suggestion basis through their so-called “DDosia Project”, even from non-members. In my previous article, I was able to verify that each of their claims regarding a target was true, contrary to the findings with similar groups such as KillNet. The group goes out of their way to notify their followers with proof of their work immediately after an attack is carried out. However, it was found by Avast that this is because the group will only claim responsibility for an attack if it worked. It is Avast‘s estimate that only around 40% of NoName‘s attacks are completely successful.

The group’s highest profile DDoS to date has been their attacks in January of this year on the websites of Czech then-presidential candidate (now the currently sitting president), Petr Pavel. Pavel had found himself in NoName057(16)‘s crosshairs by strongly supporting a greater commitment to NATO.

NoName057(16) has worked with other pro-Russian groups, including KillNet, but has never claimed to have been part of any other hacking collective.

While there is no explicit connection between NoName057(16) and the Russian government, their pro-Russian stance, their targeting of entities critical of Russia, and the historical context of state-sponsored hacking activities by Russia suggest a potential alignment of interests.

Of every group discussed here, NoName is the most outwardly nationalistic:

NoName post from June 12th, the Russian National Holiday

RomCom/Tropical Scorpius

RomCom is another group that is difficult to pin down. Originally known as Tropical Scorpius, and then Void Rabisu (by Trend Micro), and eventually Storm-0978 (by Microsoft) the group is suspected to have Russian origins, though has tried to incriminate Hungarian actors when potentially covering its tracks. It’s unclear when the group was firmly established, but it’s widely accepted that RomCom or some of its members were behind Industry Spy and Cuba Ransomware, which were first detected in 2019.

Similar to many of the threat actors more associated with intelligence operations, however, they lack a public face or channel to organize around, which indicates that they aren’t looking to recruit or humor external input.

RomCom primarily targets governmental and military organizations, especially those related to NATO and Ukraine. For now, the name RomCom seems to have been the chosen identifier, based on their attacks utilizing the RomCom RAT malware.

Their attack signature historically revolved around creating trojanized variations of legitimate software. By conducting specially targeted spearphishing campaigns, they have succeeded in getting members of Ukraine’s military, food supply chains, and ICT firms to install the RomCom RAT malware, which provides the attackers with information on the compromised systems and the means to remotely access them. In an attack detected on July 4th, an attack attributed to RomCom utilized the installation of functional, but altered versions of Microsoft 365 products carrying the payload. The documents with the malicious links mimicked press releases from the Ukrainian World Congress, and appeared to come from an IP address in Hungary.

It would appear that the objective of the malware was to have some sort of impact on the aforementioned Vilnius NATO summit.

SmugX (Possibly RedDelta or Mustang Panda)

Image created for Mustang Panda by Blackberry Security in December 2022

In December of 2022, Check Point Research began tracking a campaign it has identified as SmugX, which seems to mostly be affecting targets in Hungary, the Czech Republic, Sweden, Slovakia, the United Kingdom, and Ukraine.

SmugX seems to mostly be directed at diplomatic targets and organizations dedicated to developing foreign policy. The attacks originate in emails that contain documents regarding such issues as human rights abuses, and direct the unsuspecting victims to click on malware or pixel-tracked links. The attacks themselves have been difficult to trace, but researchers have found that the PlugX malware injection found in these documents fits into the profile of Chinese threat actors RedDelta and Mustang Panda. This particular malware contains a Remote Access Trojan.

It is unclear at this point if the proposed SmugX threat actor was brought in with intent through the Russian war effort, or if the new group has an as-of-now indiscernible motivation.

Storm-0558

Storm-0558 is a recently-identified threat actor, active since May, according to the latest publications. Their primary targets are government agencies in Western Europe, and they are known for their expertise in cyber espionage, data theft, and credential access attacks. Their attacks seem to mostly utilize exploits in Microsoft products. They are believed to originate from China (Microsoft claims this with Moderate confidence).

In July 2023, Microsoft reported a significant attack by Storm-0558. The group had managed to gain unauthorized access to customer data through Microsoft’s Exchange Online service. They exploited a flaw in the token validation process,

Storm-0558 also used PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service. This allowed them to download emails, attachments, and conversations, and gather folder information from these customers. Before they were stopped, Microsoft claimed that the email accounts of about 25 organizations that have not all been disclosed were attacked. Among the organizations named in the disclosure were the US Department of Commerce and the US State Department. It has not been stated if the attacks were limited to the US government. According to Valence Security, the attack had the potential to compromise any organization utilizing the Microsoft 365 suite. This includes much of the US government, including the Department of Defense, as well as government departments in the European Union.

More Threat Actors

The previous list consists of some of the most recent or most ambitious threat actors and cybercriminals attacking Ukraine and its allies, but it is far from complete. If you want to get started reading about even more groups, this list by Bleeping Computer, citing the Google Threat Analysis Group, mentions more. Some nations these threat actors originate from include Iran, Belarus, and North Korea.

The Response From NATO And Ukraine’s Allies

With all of this going on, it’s reasonable to ask, “What exactly is NATO doing?”

In 2016, NATO published the Cyber Defense Pledge. This was about two years after recognizing “Cyber” as a new domain for operation. It’s the first significant promise by the organization to commit to a cooperative approach regarding cyber security. It is extremely broad, but there are indications that cyber commitments have been reworked at the recent summit, though the details are still classified.

While the alliance has carefully avoided being actively engaged in Ukraine, many of these incidents are against organizations directly within NATO‘s borders. Is cyberwarfare not considered sufficiently violent to trigger a NATO “Article 5”? Should responses be considered purely proportional and within the cyber domain? What happens when attacks on hospitals delay life-saving treatments? What happens when a power grid is shut down on a winter night? What happens if important systems at a nuclear power plant are threatened? Despite billions of dollars in losses triggered by cybercrime and cyberwarfare incidents every year, I believe the world at large still hasn’t contended with this reality.

These very important, but very broad questions will have to be addressed in a future article or essay. However, in NATO‘s context, it’s important to remember that much of the work in this space is clandestine, and not all of the actors’ origins and motivations are clear. As seen above, a group claiming to be from one country could turn out to be hired criminals from another. Some of these actors clearly drift between multiple groups at different levels of capability and legitimacy. The exact details may not come out for years. As well, while it may come off as morally dubious, the political sensitivity of some of these incidents certainly has an impact on disclosure.

Cyberwarfare And Article 5

Since Russia began its full-scale invasion in February of 2022, the idea of NATO Article 5 has been brought into the mainstream milieu. Broadly, Article 5 states that an attack against any member of the alliance is an attack on every member–that the entirety of NATO can be expected to come to the collective defense. Regarding cyber defense, however, that isn’t so clear.

Within the NATO framework, it says that Article 5 will be invoked if an armed attack is perpetrated. As well, it is considered up to the individual parties within the alliance what responses are deemed appropriate and proportional within their individual laws.

Within cyberwarfare, what is considered a “crime”, and what is considered an “attack” may vary. Until recently, it may have behooved member states to retain this ambiguity in order to avoid escalations. That said, while Article 5 was written with kinetic war in mind, the consensus among scholars and NATO states is that cyber operations can rise to the level of an armed attack, but only when the consequences to the victim state are especially grave. This was reinforced in a 2019 statement by Jens Stoltenberg, the NATO Secretary General. That said, no solid definition has been established for what “especially grave” may constitute.

NATO cyber teams at a joint exercise in 2019 taken from War on the Rocks

Predictably: Private/Public Partnerships

The Cyber domain covers a lot of real estate in the privately controlled infrastructure or with the intellectual property of companies such as Google or Microsoft. Because of this, major tech corporations and innumerable cybersecurity firms have a role to play in this conflict, both on the front line, and in support of Ukraine and the alliance. The acceptance of this reality and of private sector expertise as a crucial asset is echoed in this June press release.

One of the core pillars of this cooperation is The Cyber Defense Assistance Collaborative (CDAC), a volunteer initiative by a number of cybersecurity firms to share threat intelligence and training with Ukraine and its allies. It’s this sort of cooperation that’s generated a number of the reports linked in most of these articles. Much of their research has been instrumental in countering the work of the threat actors mentioned above.

Cooperative Training And Intelligence Sharing

It has also been established that since at least January of last year, NATO has been sharing its cyber intelligence with Ukraine. It is speculated that this intelligence may have played a role in limiting the impact of Industroyer2 by Russia’s Sandworm.

Every year since 2010, NATO has increased the scale of its Locked Shields exercise, a “live fire” Capture The Flag event. This year’s included teams from 38 countries. While the wording of the official press release doesn’t technically confirm the presence of Ukraine, this statement, present only on the Ukrainian-language IT Army channels, seems to confirm the implication:

NATO Cyber Command?

“Countries need to stop looking out the window at the Big Bad Wolf, and look over their shoulder. The problem is not external, it’s internal – and that applies to every country, industry sector or company.”

Ross Brewer, chief revenue officer (CRO) at SimSpace

In July, just before the summit, it was suggested that NATO needs to establish a centralized cyber command, based on USCYBERCOM. A function of Cyber Command is an approach that looks inward at the security practices of organizations and departments that work with critical infrastructure and help them secure their systems from the bottom up. This approach certainly isn’t without criticism, but according to researchers, it has led to a greater implementation of cybersecurity best practices in North America, with the trend only reversing in the last couple of years. However, Politico credits this to the increased digitization of European businesses during the COVID-19 pandemic:

Final Thoughts And Opinion

I do think NATO could be doing more with the evidence I’ve been presented with, but I also accept that this is a belief stated without having all of the facts.

It will be several years before we have all of the details about what acts of cyberespionage and cyberwarfare have transpired since the invasion began. The war in Ukraine is truly a “hybrid war”, and with that comes its unique brand of fog and obfuscation. This would most certainly also include formal “counter-attacks” or countermeasures developed by NATO state actors.

Incidents incited by threat actors not considered directly associated with governments will always have their attribution published before those tied to state apparatuses. That said, attribution is a slow process, with evidence compiled over the course of years. I would very much like to see what repercussions there are for Russia in response to actions attributed to their own military assets.

At this moment in time, I think it’s easy to criticize Ukraine’s allies and NATO, specifically, but when mixing governance, policy, and military decisions, there are considerations that are important under normal circumstances. The nature of cyberwarfare exacerbates this to an extreme. Something truly unique to the cyber domain is how common criminals, everyday users, private companies, governments, and militaries all occupy the same lane. The war in Ukraine has demonstrated, yet again, how much catching up policymakers will have to do in order to keep cyberspace safe.