Russian-sponsored hackers have conducted a series of phishing attacks against NATO countries, according to a new industry report.
Palo Alto Networks found scam emails sent by cyber spies working for Russia’s foreign intelligence service, who used online storage services such as Google Drive and Dropbox to avoid being detected.
The messages, which were sent between May and June this year, used an apparent agenda for an upcoming meeting with an ambassador as their bait.
A spokesperson for Dropbox said: “We can confirm that we worked with our industry partners and the researchers on this matter, and disabled user accounts immediately.”
The hackers are thought to be part of the same operation that is alleged to have breached SolarWinds in 2020, an attack that gave Russia access to the networks of at least nine US government agencies.
Following that attack, Microsoft President Brad Smith called the incident “the largest and most sophisticated attack the world has ever seen”.
It’s unclear whether this attack was intended to give the Russian government access to NATO networks, although it’s certainly possible. Phishing emails can be used to steal login credentials or plant malware on victims’ systems, giving attackers an array of options when targeting victims.
How worried should we be about SVR?
Although Russia is long associated with nefarious hacking activities, it’s not entirely unprecedented for national governments to employ hackers.
The extent to which this was happening became apparent during the pandemic, with governments eager to learn about the cyber security implications of the situation.
This wasn’t limited to the big players, such as Russia, the US, Iran and North Korea. Intelligence analysts noted that plenty of less-active states used cyber espionage more aggressively, particularly given the lockdown restrictions and the limits on traditional spying methods.
John Hultquist, Director of Threat Analysis at FireEye, described the situation as “a free-for-all […] and with good reason – you don’t want to be the intelligence agency that doesn’t have a good answer for what’s going on”.
However, there is a substantial difference between cyber espionage and targeted attacks. This point should be emphasised given that these latest attacks were conducted against NATO, which is supporting the Ukrainian resistance against Russia’s invasion.
One also needs to look at who orchestrated the attack. This incident was instigated by the SVR, Russia’s foreign intelligence ministry. Research by the UK government has found the department “predominantly targets overseas governmental, diplomatic, think-tank, healthcare and energy targets for intelligence purposes.
“It is technologically advanced, developing capabilities to try to operate undetected against countries in Europe, NATO members and its near neighbours.”
By contrast, many of the Russian-sponsored attacks that have hit the headlines were part of efforts from the county’s military, the GRU. Those attacks, such as the breach of the DNC (Democratic National Committee) following the 2016 US presidential election, have been more direct.
The SVR is known for covert operations. For example, following the DNC attack, researchers discovered that the SVR has also been present on those networks for a year before the GRU’s intrusion.
If it hadn’t been for the GRU’s involvement, the group may well have gone undetected for longer and caused lasting damage.
That cyber security researchers detected the attack on NATO promptly is a positive sign. Attackers are almost always one step ahead of their targets, who must play catch-up to identify new hacking techniques and address vulnerabilities.
The growing number of cyber attacks in recent years has led to an increased awareness of the threat, with decision makers understanding that they must invest in defences.
Although not every organisation is likely to be targeted by state-sponsored hackers, incidents such as this demonstrate both the ubiquity of cyber attacks and the benefits that come with an effective defence.