As Russia’s war in Ukraine sputters, Russian hackers have turned their focus on NATO. While preventing the expansion of NATO has ostensibly been a major goal of Vladimir Putin’s brutal adventurism, it appears that the opposite has happened. Not only have NATO allies become more united since the war began, but the defense bloc has welcomed multiple overtures to join its ranks. Sweden and Finland, once reluctant to join NATO, have in recent weeks advanced their candidacies to join the alliance.
During a video address by Ukrainian president Volodymyr Zelenskyy to the Finnish parliament on April 8, a cyberattack briefly knocked the websites of the Finnish Foreign Affairs and Defense Ministries offline. The websites were quickly restored without lasting damage or data loss. Many digital forensics specialists linked the hack to a Russian source. “We don’t know if this was Russian patriotic hackers or an entity linked more directly to [the] Russian government … but I have no doubt that the attack was Russian.” said Mikko Hyppönen, a prominent Finnish cybersecurity executive at cybersecurity firm WithSecure. Hyppönen went on to conclude that if “Russia is trying to scare us with these attacks, they are failing.”
Sweden, for its part, has begun warning its citizens and preparing for further Russian aggression, though no major attacks have been reported recently.
Sweden and Finland have already joined the Estonia-based NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) as contributing participants, and Ukraine itself recently joined the cyber alliance. NATO nations voted unanimously to admit Ukraine, correcting their refusal to do so in 2021. The CCDCOE regularly holds “Locked Shields,” the world’s largest cyber defense exercise, and has published The Tallinn Manual, a non-binding academic study on how international law applies to cyber conflict. Now, on the eve of their ascension to NATO, both nations face the dilemma of enhancing their national security posture without provoking the ire of their belligerent neighbor. Kim Elman, director of the center for cybersecurity at RISE, a Swedish government-owned research institute, anticipates that Russia will launch long-term cyber espionage campaigns against his country for committing the cardinal sin of joining NATO. Mikko Hyppönen has voiced similar concerns.
Indeed, although Russia finds itself bogged down in eastern Ukraine, Russia’s cyber troops face no such physical impediments. Microsoft recently published a study based on the regional use of its near-ubiquitous operating system and tools. The study “detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine.” Russian hacking attempts have successfully penetrated defenses about 29 percent of the time, according to Microsoft. While only about a quarter of detected intrusions successfully exfiltrated data, it is impossible to know about undetected intrusions and their degrees of success. Microsoft noted that the United States and Poland, both of which have been instrumental in delivering humanitarian and military aid to Ukraine, have been targeted the most by Russian hackers in recent months. Microsoft also found increased cyber activity in Finland and Sweden.
U.S. Cyber Command, which serves as the U.S. military’s elite hacking service, confirmed last month that it has conducted a “full spectrum” of offensive, defensive, and information operations in support of Ukraine. Given Cyber Command’s tight connections to the CCDCOE and individual European nations like Poland, Ukraine is likely not alone in receiving American backup in cyberspace.
It is not just Ukraine’s most active benefactors, however, who have been targeted. Estonia, Norway, and Lithuania have also been caught in Russia’s digital crosshairs.
The Estonian government is no stranger to Russian cyberattacks. In 2007, a cyberattack disabled Estonian media websites, banking machines, and other civilian infrastructure. Estonian cyber experts identified Russia as the likely culprit, largely because the attack occurred shortly after the relocation of a Soviet-era statue in Tallinn, which generated a significant outcry among Russian internet users and diplomats. The Estonian government quickly learned from the 2007 attack, which lasted twenty-two days and was, at the time, the largest recorded cyberattack against one country. In response, Estonia created the CCDCOE and rapidly upgraded its government and civilian digital infrastructure such that its sophistication and operational security have become the envy of the developed world. As James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies, noted, “the Ukrainians have been looking at the Estonians as a model for how to respond to or how to defend against Russian cyber action and so that’s where it’s significant.”
Lithuania has also come under fire from Russian cyber actors. Lithuania’s acting director of the National Cyber Security Centre, Jonas Skardinskas, said last month that the disruption could be characterized as a distributed denial of service (DDoS) attack that targeted Lithuania’s Secure National Data Transfer system and other government systems and private companies. Skardinskas warned that “it is highly probable that such or even more intense attacks will continue into the coming days, especially against the communications, energy and financial sectors.”
An openly Russian-backed hacking group known as Killnet has claimed responsibility for the hack against Lithuania. The hackers claimed the cyberattack was in retaliation for Lithuania’s decision to halt the shipment of some goods to the Russian exclave of Kaliningrad, which sits between Poland and Lithuania. Lithuania’s deputy defense minister, Margiris Abukevicius, claimed that “the main targets are state institutions, transport systems, and media websites.”
Meanwhile, in Norway, Killnet has been disrupting online systems because of a Russian grievance over an Arctic coal mining settlement. Norway recently restricted Russian access to the Barentsburg mining settlement site through its territory. Through its telegram channel, Killnet clearly states that its actions are taken to exact revenge against Jens Stoltenberg, the Norwegian secretary-general of NATO. The cyber gang asserts that Russia has been harmed by NATO having reached an agreement with Turkey that will allow Sweden and Finland to become members of the alliance. Killnet seeks to punish Norway due to Stoltenberg’s nationality. Another telegram message reads: “I forgot to introduce you to our number one enemy, Jens Stoltenberg. This devil must answer for the life of every Russian soldier. His family must also respond, his grandchildren and his supporters.”
The Norwegian National Security Authority reported that a governmental data network had been the target of a DDoS attack that temporarily brought down internet services in the country. The National Security Authority’s chief, Sofie Nystroem, told local broadcasters that “we are quite certain that no sensitive information was taken.” The local police department stated in a press release that its websites were also attacked.
It is understood from the attenuated stated reasoning behind these attacks that Russia has resorted to lashing out against those countries exacerbating its resource issues, as well as those responsible for perceived slights to its national pride. Erling Shackt, chief technology officer at Check Point, one of the world’s largest IT security companies, notes that Killnet is a very large and capable player in the cyber realm. According to Shackt, “every week, Killnet attacks a new country in accordance with geopolitical developments. Most often, this leader of hacktivism also suggests and defines the goals of other pro-Russian groups. The group claims to control a botnet of 4.5 million units. If this is true, it is one of the largest active botnets in the world at the moment.” As impressive and dangerous as this may sound, it is worth noting that despite the repeated threats, Killnet and its cousins have only recently succeeded in creating a nuisance for their targets. Since Moscow’s renewed conflict with NATO and Ukraine re-ignited, Russian combatants have often relied on DDoS attacks when targeting Russia’s perceived foes. These attacks, which use a relatively basic means of cyberattack, leave an open question: why, as Russia’s understood strategic goals in the conflict continually recede from its grasp, has this perceived cyber heavyweight not escalated its tactics? Even as Russia seems to be stalling and taking hits on all fronts, the bear seems nearly impotent in the cyber theater. Whether this stems from the smaller European nations’ increasingly collectivized defense or Moscow’s fear of escalating beyond its current capabilities, it is becoming increasingly clear that Russia’s once unquestioned notoriety as a cyber juggernaut is coming under more intense scrutiny, and collective security arrangements like NATO are gaining prominence.
Aaron Crimmins, Esq. is a cyber strategy and governance consultant and writer based in San Diego, California. He tweets @00crims.