Geopolitics and cyberespionage: A survey of the hacker groups who are targeting the Western world

Cyber operations are changing global geopolitics, or at least, that’s how European cybersecurity experts see it. The governments of Russia, China, Iran and North Korea have been linked to such campaigns, as well as the United States and United Kingdom government and companies like Microsoft. They’re being carried out by hacker organizations who have kicked off hundreds of espionage, sabotage and misinformation initiatives in recent years. Amid this panorama, a NATO spokesperson told EL PAÍS that cyberdefense has become one of the coalition’s “main priorities,” proof of the growing importance of such operations on the global chess board.

“NATO allies have made it clear that China and Russia represent the biggest state-sponsored cyber threats, and have linked a series of cyber incidents to groups that are associated with the two countries. The Kremlin is also participating in a coordinated campaign of hostile acts against countries from the Alliance, including sabotage, cyberattacks and misinformation,” says the NATO spokesperson. The Chinese and Russian governments have repeatedly and emphatically denied any connection with cybercriminal groups.

The NATO spokesperson says that cyberattacks often seek to “degrade our critical infrastructure, interfere with our government services, extract intelligence, steal intellectual property and impede our military activities.” Additionally, NATO has recognized cyberspace as a “domain of operations” and has acknowledged that malicious cybernetic campaigns could “lead the North Atlantic Council to invoke Article 5 of the North Atlantic Treaty,” its collective defense clause.

The spiderweb of advanced persistent threats (APTs) is wide-reaching and poorly understood. Experts agree that definitively establishing a link between governments and such organizations is nearly impossible, since these groups regularly cover their tracks with false evidence. Still, consensus exists among Western governments and other entities that there is enough evidence to be able to assume certain ties.

Research center Cyberpeace Institute says that, among the most relevant and dangerous organizations are the Sandworm, Fighting Ursa (APT 28) and Cloaked Ursa (APT 29), which have been linked to Russian intelligence agencies via different institutions; and Comment Panda (APT 1), Double Dragon (APT 41) and Bronze Vinewood (APT 31), which have been associated with the Chinese state apparatus. At the same time, another fistful of organizations has been linked to Iran and North Korea. Worldwide, there are thought to be at least 150 organizations of this kind.

Their prevalence led the European Union to impose economic and mobility sanctions on six new cybercriminals on June 24. The EU applied such measures to 12 entities and 14 individuals linked to digital operations carried out against European infrastructure and institutions, as confirmed by European Commission sources to EL PAÍS. For their part, the United States and the United Kingdom issued sanctions in March against Chinese individuals who were linked to APT 31 and have accused Beijing of sponsoring cyber espionage, though Xi Jinping’s government has emphatically denied any involvement.

Modus operandi

Hackers take advantage of software error and human vulnerabilities to infiltrate their adversaries’ networks. Richard De la Torre, technical product marketing manager at Bitdefender, explains that these groups often initiate operations through infected email addresses directed towards high-level targets. Once a person opens them and their network has been compromised, cybercriminals carry out their malicious programs, or can initiate informational attacks to block defense mechanisms.

“For example, the Sandworm group sent infected Microsoft Office documents to specific employees with high-level access who worked for the Ukrainian electrical system. Once they are set up within the organization, they spread laterally to infect critical systems. They set up control connections that facilitate reconnaissance and data leakage,” says the expert.

One example of this is a campaign that was uncovered last year by cybersecurity firm Palo Alto Networks. The company says that at least 30 military, diplomatic, governmental and private entities in 14 NATO countries were the target of Fighting Ursa’s malicious email campaigns between 2022 and 2023. Twenty-six of these targets were European, among them embassies and ministries of defense, foreign relations, interior and the economy, as well as at least one NATO rapid deployment force.

Recently, Palo Alto Networks also released a memo announcing that Chinese hacker organizations carried out cyberespionage operations against other Asian countries, including Laos, Cambodia, Myanmar, the Philippines, Japan and Singapore. The company announced in November that, according to its research, an unidentified Chinese group had been carrying out a campaign targeting Middle Eastern, African and Asian political entities since at least the end of 2022. “An analysis of this threat actor’s activity reveals long-term espionage operations against at least seven governmental entities. The threat actor performed intelligence collection efforts at a large scale, leveraging rare email exfiltration techniques against compromised servers,” stated the company’s report.

Analysts at Mandiant, a Google subsidiary that focuses on digital security, explain that Chinese cyber groups are known for their stealth. “Cyber espionage coming out of China has significantly evolved in recent years, distancing itself from loud, easy-to-identify operations in order to focus more on stealth. Investments in technology have funded successful campaigns against governmental, military and economic targets in the NATO member states and have increased the challenges for those defending these systems,” says John Hultquist, chief analyst at Mandiant Intelligence, in a recent report.

When it comes to Iran, Bitdefender finds that cybercriminal groups ShroudedSnooper and Cobalt Sapling have been linked to the country’s Ministry of Intelligence and Ministry of Security and have been involved in multiple attacks directed towards telecommunications and governmental entities in the Middle East, particularly in Israel. Elsewhere, North Korean group Lazarus stands out based on the virulence of its ransomware attacks, and its attack on the Sony company in 2014.

The targets of campaigns carried out by these groups can vary. According to the experts consulted for this article, it depends on the interests of the origin country and intelligence agencies with which they are linked. “Normally, they are operations related to the recovery of information that can give a geostrategic advantage to the country with which these groups are linked. Still, we also find economic motivations, like those of some of the campaigns carried out by groups associated with the North Korean government geared towards obtaining financing with which to overcome the economic blockade,” says Josep Albors, director of research and awareness at ESET España, a cybersecurity software company.

Cybersecurity experts also emphasize that there is a way to differentiate groups that are sponsored by a government from the cybercriminal organizations when it comes to carrying out appraisals to identify their objectives. “The biggest motivation of criminal groups is making money as quickly and easily as possible. In contrast, what the organizations sponsored by states are looking for is to infiltrate the enemy’s infrastructure for as long as possible. They look to collect information or find out how their targets are going to confront certain geopolitical situations,” explains Jens Monrad, Mandiant’s director of threat intelligence in Europe, the Middle East and Africa. The representative of the Google subsidiary says that, in the case of information activist groups, their actions are similar to that of an “angry mob,” which serves to tell them apart from state-sponsored groups.

Digital battlefield

Experts agree that state-sponsored operations in the digital field are growing exponentially, thanks to current geopolitical instability. “Hacker groups are playing an increasingly prominent role in current conflicts and areas of heightened tension. For example, we have seen the creation of new malware specifically created for the Russia-Ukraine conflict. Another example is the formation of a group of volunteers known as the Ukrainian IT army, which has carried out various cyberattacks on behalf of Ukraine during the ongoing war,” says Ari Novik, malware analyst at Cybeark Labs. CyberPeace Institute experts estimate that a total of 3,255 cyberattacks have been executed by at least 126 Russian actors against Ukraine since 2022.

“From a financial point of view, it’s easier to carry out this kind of operation than send a person to another country as a spy. Those agents can be captured and represent a risk for the country that sends them out. In the digital world, you can achieve similar objectives while running much less risk,” says Monrad.

Bitdefender’s De la Torre agrees that the current situation supplies “abundant fuel” for state-sponsored cybercriminals. In fact, the expert says that the Verizon Data Breach Investigations Report for 2023 shows that 20% of attacks and infiltrations were carried out by state-sponsored hacker organizations. He anticipates that in the next globally relevant elections and Olympic Games, we could see different campaigns carried out by these state-sponsored cybercriminal groups.

The expert adds that a recent example of how this type of operations is changing the nature of global conflicts took place in December 2023, when Ukraine’s biggest telecommunications provider, Kyivstar, was paralyzed by a cyberattack attributed to Russian cybercriminals. “In retaliation, Ukrainian hackers attacked Russia’s largest water utility plant, encrypting data and successfully disrupting operations,” Bitdefender reports.

Western response

Experts say that Western governments are cooperating to develop their cybernetic resilience, specifically through organizations like the European Union and NATO. The latter alliance presented its cybersecurity strategy at the end of 2020 and has continuously been adding new laws, like the cybersolidarity act that was proposed in April 2023. At the same time, after the invasion of Ukraine, the European Commission put in march its EU cyberdefense policy to help improve its cybernetic capacities. On top of these initiatives are NATO’s coordination, exercises and training activities, through which experts from its member states are learning to respond to these kinds of situations.

Nonetheless, experts think there is still much to be done. “In the Western world, we are still evaluating how to respond to these threats. Something that continues to be debated, for example, is proportionate response to these attacks. NATO already recognizes the digital space as a domain of operations and is considering how to react. Still, it has yet to be determined how to do this without escalating the situation. The method has not yet been found, or at least, has not been openly communicated,” says Monrad. “Nonetheless, European organizations are improving the way they respond and perhaps, this is something governments should focus on,” he adds.

Monrad has not ruled out the idea that the West should have similar organizations sponsored by its own governments. “All developed countries recognize that these technologies have become tools for disruptive activities, which means that it’s highly probable that they are already using them. What must be underlined is that in Europe there is much more transparency when it comes to knowing how budgets are being used, and that allows us to see if they are financing this kind of attacks,” he concludes.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition