NATO faces an evolving cyber threat landscape from emboldened state actors, hacktivists, and criminals, with risks extending beyond military targets to hospitals and civil society amid the Ukraine conflict. Google Threat Intelligence notes growing espionage, disinformation, and disruptive actions that could affect NATO’s resilience, underscoring the need for strong private-sector and international collaboration. #NotPetya #PRESSTEA #APT29 #APT44 #Ghostwriter #COLDRIVER #CARR #Prigozhin
Keypoints
- NATO contends with a global mix of aggressors—state-sponsored actors, hacktivists, and criminals—targeting intelligence, critical infrastructure, and public trust, with the Ukraine war intensifying activity.
- Cyber espionage against NATO focuses on diplomatic and political intelligence, supply-chain access, and cloud-environment operations, employing both traditional social engineering and more advanced tradecraft.
- China-linked operations are shifting toward stealthy, edge-focused, zero-day exploitation, relay networks (ORBs), and living-off-the-land techniques to evade detection.
- Disruptive and destructive campaigns, including NotPetya and PRESSTEA, show a willingness to disrupt NATO members and infrastructure, sometimes via legitimate-looking fronts or signaling attacks on supply chains.
- Hacktivists and cybercriminals threaten NATO with DDoS, ransomware, and disruption of essential services, including healthcare and energy, raising national-security concerns.
- Disinformation and information operations, including Ghostwriter/UNC1151 and COLDRIVER campaigns, continue to undermine NATO unity and public opinion, with enforcement actions by Google across products and platforms.
- Outlook emphasizes persistent cyber threats independent of armed conflict, demanding ongoing private-sector collaboration and multinational defense efforts to seize cyberspace initiative.
MITRE Techniques
- [T1566] Phishing – Spear-phishing campaigns against NATO members with a focus on diplomatic entities. Quote: “The actor has long history of spear-phishing campaigns against NATO members with a focus on diplomatic entities.”
- [T1090] Proxy – Use of operational relay box (ORB) networks and proxies to hide the origin of malicious traffic. Quote: “The use of operational relay box (ORB) networks to hide the origin of malicious traffic.”
- [T1059] Command and Scripting Interpreter – Living off the land to reduce detection, using legitimate tools and system features to move and act. Quote: “Living off the land techniques use legitimate tools, features, and functions available in the system to traverse networks and carry out malicious activity.”
- [T1203] Exploitation for Defense Evasion – Exploiting zero-days in security devices and network edge to evade detection. Quote: “12 zero-days… many of which were in security products that reside on the network edge.”
- [T1486] Data Encrypted for Impact – Destructive use of ransomware like NotPetya to disrupt operations. Quote: “NotPetya” described as a global destructive attack.
- [T1070] Indicator Removal on Host – Attacker efforts to cover tracks and be hard to detect, including expulsion from compromised networks. Quote: “covering their tracks, making them hard to detect, and especially difficult to expel from compromised networks.”
Indicators of Compromise
- [Malware] NotPetya and PRESSTEA (Prestige) – cited as high-profile destructive/ransomware campaigns. NotPetya referenced as a destructive attack; PRESSTEA described as a disruptive ransomware operation.
- [Threat Actor] APT29 (SVR) and APT44 (Sandworm, FROZENBARENTS) – publicly attributed groups with operations against NATO/European targets; APT29 linked to diplomatic/political intelligence and supply-chain access; APT44 associated with Ukraine disruptions and broader destructive campaigns.
- [Campaign/Operation] Ghostwriter/UNC1151 – long-running information operations campaign targeting regional actors to push anti-NATO narratives; supported by UNC1151 for cyber-enabled influence.
- [Campaign/Operation] COLDRIVER – Russian cyber espionage actor targeting NGOs, government, and military entities with credential phishing and hack-and-leak activity; involved in Brexit-related and UK/EU political manipulation.
- [Campaign/Operation] CARR (Cyber Army Russia Reborn) – hacktivist group conducting water facility disruption and other politically driven actions.
Read more: https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-facing-nato/