/cloudfront-eu-central-1.images.arcpublishing.com/prisa/WQEEUVRP3BB57M7LND37U7VREE.png)
There is another war against Russia being fought every day.
It is fought in the digital trenches, through infected emails, and NATO members are already involved in it.
On the one hand, there are hacker organizations known as Fighting Ursa (APT28) and Cloacked Ursa (APT29), which have been linked to the Russian state by the US and UK governments.
On the other, workers in the public and private sectors of the Atlantic alliance, who by simply clicking on a malicious message can open the doors to the Kremlin's cyber spies.
“Cyberspace is tested at all times and evil actors seek to affect the infrastructure of NATO members, interfere with government services, extract intelligence and steal intellectual property,” a NATO spokesperson explained to EL PAÍS.
The spokesperson corroborates that Russia's relationship with groups like APT28 and APT29 is "well documented," and that the alliance agrees that they are linked to Russian intelligence services.
“The allies have also attributed a series of cyber events to groups associated with the Russian state and have imposed sanctions on individuals associated with them,” they add from the alliance.
Since 2022, some 13 cyberattacks have been officially attributed (or at least in the condition of “probable”) to Fighting Ursa and two to Cloacked Ursa, according to data collected by the Cyberpeace Institute, a non-governmental organization specialized in cyber threats and financed by companies such as Microsoft and Mastercard.
The main objective of these groups were entities based in Ukraine (particularly in kyiv), but operations were also recorded against institutions located in Poland, the United States and Belgium (Brussels).
Eight of these attacks were aimed at data extraction or espionage, according to the NGO.
In most cases, emails were the main means of infiltration.
“All cyberespionage groups aim to steal information that allows their respective States to obtain some type of geopolitical or strategic advantage,” a spokesperson for the National Cryptological Center (CCN) of the National Intelligence Center of Spain explains to this newspaper.
That said, the entity speculates that these
hackers
are probably looking for information that supports Russian war efforts, given their links to military and intelligence structures in this country.
“In the specific case of APT28 and APT29, the usual targets in the public sector are government institutions and critical infrastructures.
In the private sector, the common objectives are defense, technological, energy, financial and transportation companies,” the CCN details.
Outlook, car sales and poisoned PDFs
An investigation by cybersecurity firm Palo Alto Networks, however, estimates that at least 30 military, diplomatic, government and private entities in NATO countries were the target of malicious Fighting Ursa email campaigns in 14 countries between 2022. and 2023. A spokesperson for this company has detailed exclusively to EL PAÍS that six of them were military, three were diplomats, and the rest belonged to the public or private sector.
Specifically, 26 of the targets were European, including embassies and ministries of defence, foreign affairs, interior and economy, as well as at least one NATO Rapid Deployment Force.
In the context of this operation, institutions in Ukraine, Jordan and the United Arab Emirates (which are included in the 14 affected countries despite not being members of the Atlantic alliance) were also attacked.
“The main objective of these attacks is to obtain the information necessary to impersonate.
This allows the attacker to illicitly access and maneuver within the network,” a spokesperson for the cybersecurity firm tells this newspaper.
That said, Palo Alto Networks highlights that they do not know if any of these campaigns have managed to extract any type of critical information.
The company warns that, in some cases, these emails do not even have to be opened to contaminate the computer.
In fact, those used for the latest Fighting Ursa campaigns are based on a “vulnerability” in the Microsoft Outlook program, which is automatically activated when the victim receives a “specially crafted” email.
The company emphasizes that this
software
flaw can leak target information without user interaction, allowing the
hacker
to spoof credentials and subsequently authenticate to your network.
In the case of Cloacked Ursa, Cyberpeace Institute experts explain to this newspaper that the two officially attributed attacks were directed at the headquarters in Belgium of several countries belonging to NATO, but also at government entities of the European Union.
“Cyber attacks against targets outside the two belligerent countries demonstrate how operations can extend to nations they support through military or humanitarian aid, financial sanctions or political support,” observes a Cyberpeace Institute spokesperson.
However, the group would also have tried to infiltrate NATO diplomatic missions in Ukraine on numerous occasions (including the Spanish, Danish, Greek and Dutch).
In fact, Palo Alto Networks investigations record two operations between 2022 and 2023, in which the identity of diplomats was impersonated through fake emails containing malicious files.
A first format contained a contaminated version of a sales flyer for a BMW car, which a Polish official was offering at the time.
The second simulated invitations from the Portuguese or Brazilian embassies, and contained PDF files contaminated with programs capable of extracting information stored in both Google Drive and Dropbox.
A screenshot of the sales flyer for a BMW that Cloaked Ursa used to try to infiltrate NATO embassies.
“Cloaked Ursa conducts phishing attacks by leveraging lures to force targets to click on emails, often playing on people's curiosity.
Whether it's this advertisement for a low-cost BMW for diplomats, or using the topic of the earthquake in Turkey, or Covid-19.
They use these email subject lines to entice their targets to click on the links,” details a Palo Alto Networks spokesperson.
The company claims that Cloaked Ursa used “publicly available” embassy email addresses for approximately 80% of the objectives of the BMW operation, while the remaining 20% would have been collected as part of other Russian intelligence operations.
A NATO spokesperson responded to EL PAÍS that the organization has no evidence that the Atlantic alliance's classified networks have been compromised by actors linked to these organizations during these operations.
Likewise, she highlighted that "in recent days", the allies have individually taken new measures to deactivate a "cyberpiracy network" related to APT28.
Along similar lines, a spokesperson for the Spanish Ministry of Foreign Affairs responded to this newspaper that “to date, no attempted attack through this email mechanism or any other has been successful at any headquarters, including that of Kiev”;
and that these types of threats are automatically filtered and eliminated by “corporate antivirus solutions.”
The attribution problem
While there are other Russian
hacker
organizations (such as Conti or People's CyberArmy), only Fighting Ursa and Cloacked Ursa have been directly linked to the Russian state.
Specifically, both experts from the CCN and those from Palo Alto Networks and those from the Cyberpeace Institute agree that Cloaked Ursa would be connected to the Russian intelligence service (SVR), while Fighting Ursa has been related to the Main Intelligence Directorate of the General Staff (GRU) of Russia.
Experts emphasize that these powers have also been made publicly by the governments of the United States and the United Kingdom, and by companies in the technology sector such as Microsoft.
So why is there no retaliation against the Kremlin if so many entities attribute these attacks to them?
The problem is having enough certainty to make a direct accusation.
Mira Milosevich, senior researcher for Russia, Eurasia and the Balkans at the Elcano Royal Institute, explains that the expert opinion of these cases often takes a long time and it is quite difficult to find conclusive evidence.
“Authorship is one of the biggest problems in this type of cyberwar.
A good
hacker
hides his action.
For example, the physical territory usually does not coincide with the country of the group of people who are carrying out the campaign.
If an attack comes from Venezuela or Cuba, this does not necessarily mean that their governments are behind it.
No one can prove that Vladimir Putin has ordered a cyber attack against NATO.
No state talks about the
hackers
it has,” the expert tells this newspaper.
Along these lines, she points out that
hackers
leave “crumbs” with the intention of confusing anyone who wants to investigate an attack.
For their part, the CCN agrees that the attribution of cyber attacks based exclusively on technical evidence is “one of the most complex tasks today.”
However, they add that, regardless of the geographical origin of the attacks carried out by both cyber espionage groups, what does seem clear is that they must be sponsored by a State.
“The infrastructure and tools they use, together with the complexity and objectives of their attacks, are only within the reach of highly dedicated groups, with many resources and extensive technical knowledge.
This is only possible if they operate as part of the structure or with the support of an Intelligence Service,” a spokesperson for the National Cryptological Center assures this newspaper.
Allied response
The CCN indicates that both Spain and allied countries have significantly increased monitoring and detection capabilities in recent years.
“More and more information is shared about hostile actors, since they are global threats that can only be faced jointly,” the entity states.
“NATO has designated cyberspace as a warfighting domain and has recognized that an adverse cyber campaign could trigger the Alliance's collective defense clause.
While allies are responsible for the security of their national cyber networks, the organization supports their cyber defenses by exchanging real-time information on threats and providing training and expertise,” a NATO spokeswoman explains to this newspaper.
The spokesperson adds that the Atlantic alliance also carries out the largest cyber defense exercise in the world and has teams of experts prepared to help allies in the event of a cyber attack.
“As most networks are privately owned, we are also expanding our links with the industry.
Cyberspace is an area in which the Alliance will continue to operate and defend itself as effectively as it does in the air, land and sea,” they point out from the organization.
For his part, Milosevic adds that, after the cyber attack on Estonia in 2007, NATO is already contemplating military responses to these events.
However, he believes that the development of technological capabilities is “so accelerated” that laws normally lag behind, which creates bureaucratic barriers.
“The first phase of hybrid warfare is the control of cyberspace and information.
In the case of Russia this is very well developed.
Valeri Gerasimov, chief of the Russian General Staff, has an article that says that the difference with previous wars is the control of this space,” the expert explains to this newspaper.
That said, the researcher at the Elcano Royal Institute believes that the weakest factor in the cybersecurity chain is always the human factor, and that along with emails, the Russians have developed a whole repertoire of means to
hack
mobile phones and access information. confidential or sensitive by digital means.
“The Russians never sleep and always spy.
To paraphrase a well-known phrase from Stanislav Levchenko, if you look for your technological vulnerabilities you will find the heirs of the KGB,” the expert jokes.
You can follow
EL PAÍS Tecnología
on
and
X
or sign up here to receive our
weekly newsletter
.
Subscribe to continue reading
Read without limits
Keep reading
I am already a subscriber
_