NATO summit highlights constant cyber threat facing alliance

As heads of NATO member states gather in Washington for the organization’s annual summit, experts have a reminder: cyber threats to the alliance are ever-larger and evolving.

In a blog post, Mandiant, an American cybersecurity company and a Google subsidiary, points out that NATO is a constant target for its adversaries, who have been growing bolder.

“The alliance faces a barrage of malicious cyber activity from all over the globe, carried out by emboldened state-sponsored actors, hacktivists, and criminals who are willing to cross lines and carry out activity that was previously considered unlikely or inconceivable,” says Mandiant.

As per usual, the malicious cyber actors are allegedly working to hurt NATO with “elaborate” disinformation schemes and gathering intelligence.

This isn’t unusual – competing geopolitical or military blocs always seek ways to undermine each other short of trade or kinetic war. According to Mandiant, though, bad actors are also preparing to attack or are currently attacking NATO’s critical infrastructure.

Aggressive and costly

Disruptive and destructive cyberattacks are on the rise, analysts say. According to Mandiant, Iranian and Russian state actors have demonstrated a willingness to carry out such attacks on NATO member states – although they typically hide behind false fronts.

For example, Mandiant described a 2022 destructive attack against the government of Albania for which an alleged hacktivist group called “HomeLand Justice” claimed credit. However, the US government ultimately attributed the attack to Iranian actors.

Mandiant also says that state actors “have the means and motive” to disrupt NATO’s critical infrastructure and are compromising it in preparation for future attacks.

In February, the US Cybersecurity and Infrastructure Security Agency said in an advisory that cyber actors sponsored by China are seeking to “pre-position themselves on IT networks for disruptive cyberattacks against US critical infrastructure in the event of a major crisis of conflict with the US.”

Sandworm, tied to Russian military intelligence and recently elevated by Mandiant to APT44, has been involved in particularly disruptive cyberattacks worldwide. The actor has been deploying ransomware against logistics entities in Poland and Ukraine.

That’s not to say that regular criminal actors and hacktivists are not a nuisance – they have been attacking the public and private sector with renewed vigor, and “criminal activity has become so devastating it has risen to the level of a national security concern.”

Cyber actors sponsored by China are seeking to “pre-position themselves on IT networks for disruptive cyberattacks against US critical infrastructure in the event of a major crisis of conflict with the US.”

“Financially motivated disruptions caused by ransomware are already causing severe consequences across critical infrastructure in NATO states, leading to patient care disruptions in hospitals, energy shortages, and government services outages,” said Mandiant.

“While some criminals have vowed to avoid targeting this critical infrastructure, many remain undeterred.”

Healthcare institutions in the US and Europe have been repeatedly targeted by both Russian-speaking criminals seeking financial gain and North Korean state actors aiming to fund their espionage activities. These types of attacks cost patients’ lives, one study has shown.

China enters stealth mode

Cyber espionage is a constant threat to NATO, Mandiant says. The alliance’s adversaries are seeking to develop insight into the inner workings of the organization and, if possible, to steal its defense technologies and economic secrets.

For example, APT29, a threat group controlled by the Russian Foreign Intelligence Service, usually targets NATO member states in Europe and has been involved in high-profile breaches of tech firms to gain access to the public sector.

“The actor is extremely adept in cloud environments and particularly focused on covering their tracks, making them hard to detect and track, and especially difficult to expel from compromised networks,” say the researchers.

In 2024, all this is very sensitive because NATO is in a transitional period. Mark Rutte, the outgoing Dutch prime minister, has been appointed NATO's next secretary-general, and the alliance needs to shore up its defense posture in the context of Russian aggression in Ukraine.

Mark Rutte. Image by Shutterstock.

“Successful cyber espionage from threat actors could potentially undermine the alliance's strategic advantage and inform adversary leadership on how to anticipate and counteract NATO's initiatives and investments,” says Mandiant.

According to the cybersecurity company, China has been focusing on stealth rather than loud and easily attributed operations in recent years.

Beijing has allegedly been targeting the network edge and exploiting zero-day vulnerabilities in security devices and other internet-facing network infrastructure to reduce opportunities for defender detection.

Chinese cyber spies have also been using operational relay box networks to hide the origin of malicious traffic and actually forgoing the use of malware to reduce opportunities for defender action.