From Ukraine to the Whole of Europe: Cyber Conflict Reaches a Turning Point

  • The February 2023 report by Thales's Cyber Threat Intelligence unit reviews one year of cyber-attacks across Europe.
  • The third quarter of 2022 marked a turning point in cyber-attacks related to the conflict in Ukraine, with a clear transition from a cyber-war focused on Ukraine and Russia to a high-intensity hybrid cyber-war across Europe. The cyber-war is targeting Poland and the Baltic and Nordic countries in particular, with an increasing focus on critical national infrastructure in sectors including aviation, energy, healthcare, banking and public services.
  • From targeted destruction campaigns to guerrilla cyber-harassment, pro-Russian hacktivists are using DDoS1 attacks to make servers temporarily inaccessible and disrupt services. They are part of Russia's strategy to engage in information warfare as a way to wear down public and private organisations.

PARIS--()--Thales:

Eastern and Northern Europe on the front lines of the cyber conflict

A new attack geography has taken shape over the last 12 months. At the very beginning of the conflict, the majority of incidents only affected Ukraine (50.4% in the first quarter of 2022 versus 28.6% in the third quarter), but EU countries have seen a sharp increase in conflict-related incidents in the last six months (9.8% versus 46.5% of global attacks).

In the summer of 2022, there were almost as many conflict-related incidents in EU countries as there were in Ukraine (85 versus 86), and in the first quarter of 2023, the overwhelming majority of incidents (80.9%) have been inside the European Union.

Candidates for European integration such as Montenegro and Moldova are being increasingly targeted (0.7% of attacks in the first quarter of 2022 versus 2.7% at the end of 2022) and Poland is under constant harassment, with a record number of 114 incidents related to the conflict over the past year. War hacktivists have specifically targeted the Baltic countries (157 incidents in Estonia, Latvia and Lithuania) and Nordic countries (95 incidents in Sweden, Norway, Denmark and Finland). Germany saw 58 incidents in the past year, but other European countries have been relatively spared, such as France (14 attacks), the UK (18 attacks), Italy (14 attacks) and Spain (4 attacks).

"In the third quarter of 2022, Europe was dragged into a high-intensity hybrid cyber-war at a turning point in the conflict, with a massive wave of DDoS attacks, particularly in the Nordic and Baltic countries and Eastern Europe. Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics. With the lateralisation of the conflict from Ukraine to the rest of Europe, Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate." Pierre-Yves Jolivet, VP Cyber Solutions, Thales.

From war hacktivists to cyber-harassment

Of all cyber-attacks reported worldwide since the start of the conflict, 61% were perpetrated by pro-Russian hacktivist groups, and in particular by Anonymous Russia, KillNet and Russian Hackers Teams, which have emerged since the start of the conflict to mirror the efforts of Ukrainian IT Army hacktivists early in the war. These new groups are more structured and use the type of resources favoured by organised cybercrime groups, including botnet-as-a-service2 resources such as Passion Botnet, with the aim of cyber-harassing Western countries that support Ukraine. These groups of independent, civilian hacktivists have emerged as a new component in the conflict. They can be assimilated to a cybercriminal group with specific political objectives and interests, acting out of conviction yet not directly sponsored by any government. Members of such groups have a broad array of origins, technical skills and backgrounds.

The third quarter of 2022 marked a transition to a wave of DDoS attacks, in contrast to the first quarter of 2022, which saw a range of different kinds of attacks, divided more or less equally among data leaks and theft, DDoS attacks, espionage, influence campaigns, intrusion, ransomware, phishing, wiper and infostealer attacks3. Cyber attackers have since favoured DDoS attacks (75%) against companies and governments. This systematic harassment often has a low operational impact but sustains a climate of anxiety among security teams and decision-makers. Their objective is not to have a major operational impact but to harass targets and discourage them from supporting Ukraine.

On the other end of the spectrum, wiper attacks can destroy an adversary's systems, and long-term espionage can undermine the integrity of an adversary's security apparatus, but such techniques take much longer to prepare and require more resources. Destructive cyber-military operations, along with espionage, account for only 2% of the total number of incidents and are mainly targeted at Ukrainian public-sector organisations.

Russian authorities regularly use cyber to harass their adversaries without engaging in direct confrontation.

Acts of cyber warfare are still taking place in Ukraine – as we saw with the ATK256 (UAC-0056) attack against several Ukrainian public bodies on the anniversary of the conflict (February 23, 2023 ) – yet they are drowned out in the eyes of Westerners by constant cyber harassment.

Thales's contribution to the protection of critical infrastructure

Thales provides cybersecurity solutions for nine of the top ten Internet giants and helps to protect the information systems of more than 130 government agencies and essential services providers. With more than 3,500 cybersecurity experts, the company provides governments and critical infrastructure operators with integrated incident detection and response solutions, including cyber threat intelligence, sovereign probes, Security Operation Centres and encryption systems to prevent data breaches. Organised around three families of products and services – sovereign products, data protection platforms and cybersecurity services – the Group's portfolio of cyber solutions generated a combined total of more than 1.5 billion euros in sales in 2022.

Download the abstract

Download the report

About Thales

Thales (Euronext Paris: HO) is a global technology leader serving the Aerospace, Defence and Digital Identity & Security markets. Our solutions help to make the world safer, greener and more inclusive.

We invest close to 4 billion euros a year in Research and Development, driving innovation in key areas such as quantum technologies, cloud architectures, 6G and cybersecurity.

With 77,000 employees in 68 countries, the Group generated revenues of 17.6 billion euros in 20221.

_______________________________

1 Excluding Transport business, which is being divested

More information:
Cybersecurity solutions | Thales Group
Cyberthreat Hitmap (thalesgroup.com)

1 A distributed denial-of-service attack (DDoS) aims to make one or more services unavailable either by exploiting a software or hardware vulnerability or by saturating a network's bandwidth to deny access to users.
2 Sale or rental of a proxy network to other malicious actors for use in launching cyber-attacks.
3 Phishing is an attempt to lure a user into divulging information. A wiper is a type of malware used to erase data from an infected system. An infostealer is a type of spyware used to collect information from a system.

Contacts

PRESS CONTACT:

Thales Media Relations
Marion Bonnet
+33 (0)6 60 38 48 92
marion.bonnet@thalesgroup.com

Release Summary

CTI Report on Europe & Ukraine

Contacts

PRESS CONTACT:

Thales Media Relations
Marion Bonnet
+33 (0)6 60 38 48 92
marion.bonnet@thalesgroup.com