A new attack geography has taken shape online over the last 12 months. At the very beginning of the recent conflict, the majority of incidents only affected Ukraine (50.4% in the first quarter of 2022 versus 28.6% in the third quarter, 2022), but EU countries have seen a sharp increase in conflict-related incidents over the last six months (9.8% versus 46.5% of global attacks).
Which countries have been affected by the conflict?
In the summer of 2022, there were almost as many conflict-related incidents in European Union countries as there were in Ukraine (85 versus 86), and in the first quarter of 2023, the overwhelming majority of cyber incidents (80.9%) have been inside the borders of the EU.
All the current candidates for European Union integration such as Montenegro and Moldova are being increasingly attacked and targeted (0.7% of attacks in the first quarter of 2022 versus 2.7% at the end of 2022) and Poland as well is under constant harassment, with a record number of 114 incidents of cyber conflict which are related to the conflict over the past year.
War hacktivists have specifically targeted the Baltic countries (157 incidents in Estonia, Latvia and Lithuania) and Nordic countries (95 incidents in Sweden, Norway, Denmark and Finland). Germany saw 58 incidents in the past year, but other European countries have been relatively spared, such as France (14 attacks), the UK (18 attacks), Italy (14 attacks) and Spain (4 attacks).
“In the third quarter of 2022, Europe was dragged into a high-intensity hybrid cyber-war at a turning point in the Ukraine-Russia conflict, with a massive wave of DDoS attacks, particularly in the Nordic and Baltic countries and those located in Eastern Europe. Cyber is now a crucial weapon in the arsenal of new instruments of war in this day and age, alongside disinformation, manipulation of public opinion, economic warfare, sabotage as well as many guerrilla tactics.”
“With the lateralisation of the conflict between Ukraine and Russia to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.” Pierre-Yves Jolivet, Vice President Cyber Solutions, Thales.
How have war hacktivists escalated the cyber conflict?
Of all cyber-attacks reported across the world since the start of the conflict between Russia and Ukraine, 61% were perpetrated by pro-Russian hacktivist groups, and in particular by Anonymous Russia, KillNet and Russian Hackers Teams, which have emerged since the start of the conflict to mirror the efforts of Ukrainian IT Army hacktivists during the Ukraine war.
These new hacktivist groups are more structured and use the type of resources favoured by organised cybercrime groups, including botnet-as-a-service2 resources such as Passion Botnet, with the aim of cyber-harassing any of the Western countries that support Ukraine. These groups of independent, civilian hacktivists have emerged as a new component in the conflict.
They can be assimilated to a cybercriminal group with specific political objectives and interests, acting out of conviction yet not directly sponsored by any government. Members of hacktivist groups like this have a broad array of origins, technical skills and backgrounds.
What has been the origin of these cyber-attacks?
The third quarter of 2022 marked a transition to a wave of DDoS attacks, in contrast to the first quarter of 2022, which saw a range of different kinds of attacks, divided more or less equally among data leaks and theft, DDoS attacks, espionage, influence campaigns, intrusion, ransomware, phishing, wiper as well as info stealer attacks3. Cyber attackers from all over the world have since favoured DDoS attacks (75%) against several companies and governments.
This systematic harassment often has a low operational impact but sustains a climate of anxiety among security teams and decision-makers. Their objective is not to have a major operational impact but to harass targets and discourage them from supporting Ukraine.
On the other end of the spectrum, wiper attacks can destroy an adversary’s systems, and long-term espionage can undermine the integrity of an adversary’s cybersecurity apparatus, but such techniques take much longer to prepare and require a lot more resources. Destructive cyber-military operations, along with espionage, account for only 2% of the total number of war incidents and are mainly targeted at Ukrainian public-sector firms as well as organisations.
Russian authorities regularly use cyber to harass their adversaries without engaging in direct confrontation. Acts of cyber warfare are still taking place in Ukraine – as we saw with the ATK256 (UAC-0056) against several Ukrainian public bodies on the anniversary of the conflict (February 23, 2023) – yet they’re drowned out in the eyes of Westerners by cyber harassment.
What is Thales’ offering to protection of infrastructure?
Thales provides cybersecurity solutions for nine of the top ten internet giants and helps to protect the IT systems of more than 130 government agencies and essential services providers.
With more than 3,500 cybersecurity experts and professionals, Thales as a company provides governments and critical infrastructure operators with cyber-crime integrated incident detection and IT response solutions, including cyber threat intelligence, sovereign probes, Security Operation Centres and encryption systems to prevent all kinds of data breaches.
Organised around three families of products and services – sovereign products, data protection platforms and cybersecurity services – the Group’s portfolio of globally viable cyber solutions generated a combined total of more than 1.5 billion euros in sales during the course of 2022.
