Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

06:30 PM
Connect Directly

NATO Ambassador: How The Ukraine Crisis Fits Cyber War Narrative

Kenneth Geers previews his Black Hat talk and discusses the strategic military maneuvers governments can make within cyberspace.

When Kenneth Geers, ambassador of the NATO Cyber Centre, first suggested two years ago that there might be a connection between spikes in cybercriminal activity and spikes in geopolitical conflict, there was skepticism. Since then, NATO has declared cyberspace a domain for war and regions of geopolitical strife have also seen their fair share of cyberespionage and cybercrime. What's been learned and has the skepticism waned or grown?   

Geers, who has been living in Ukraine for the past two years, will discuss this in an upcoming session at Black Hat USA, "Cyber War in Perspective: Analysis from the Crisis in Ukraine." The talk will cover some of the work published by 20 prestigious researchers on behalf of the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE), investigating the cyber activity in the region between 2013 and 2015.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.


Two years ago, Vladimir Putin signed a bill incorporating the Crimean peninsula into the Russian Federation, and Russian military forces massed along the Ukrainian border. Geers was a global threat analyst for FireEye at the time, and noticed a spike in malware traffic traced back to Ukraine and Russia at the height of the conflict between the two nations.

Geers tentatively suggested at the time that there could be a connection between the geopolitical climate and the increase in cybercriminal activity, and that this connection could be used for threat intelligence. He received some pushback, at the time, even among colleagues within FireEye.

Since then, however, Ukrainian targets have been hit with more cyberattacks that directly or indirectly impact the country's autonomy.   

Ukrainian presidential elections in 2014 were “completely, utterly, thoroughly hacked,” says Geers. Three days before the election was to be held, a pro-Moscow hacking group attacked the election commission. As a Wall Street Journal feature described:

Its stated goal: To cripple the online system for distributing results and voter turnout throughout election day. Software was destroyed. Hard drives were fried. Router settings were undone. Even the main backup was ruined.

A valiant effort by the election commission's IT staff rebuilt the voting system in time for the election, starting from an offline backup. However, attackers were able to post false election results that appeared to be hosted by the Commission's website -- media outlets reported these false results briefly before they were debunked.

Cyber war skeptics would argue that these attacks didn’t actually change the results of the election, so the impact was minimal, says Geers, who maintains “it degrades the integrity of the government” and the systems on which it relies.

In addition to these moves against elections, there have been cyberattacks on Ukraine's banks, railroads, mining industry, and of course the highly publicized one in December that took down a significant portion of the Ukrainian power grid. 

Skeptics of the very existence or possibility of "cyber war" could point to attacks like these and dismiss them by saying they did not cause death or widespread destruction. They therefore challenge terms like "Cyber Pearl Harbor."  

"People don’t like it," says Geers, "but we talk about ['Cyber Pearl Harbor'] a lot at Cyber Command.”

The term, says Geers, is in reference to the tactical advantage the Japanese forces gained in World War II by the attacks on Pearl Harbor. "It wasn’t meant to win the war. It was meant to create some breathing space.”

Similarly, he says, cyberattacks can be used “to give you a bit of time. An edge.”

Disrupting satellite communications, causing mass blackouts, derailing trains, or stirring up some public unrest, might not be the ultimate goal, but it could be a strategic maneuver in a war. It's something to divert leaders' attention and resources away from something of greater importance. 

Perhaps more sinister, is the possibility of cyberattacks being used to change data. “So the ship goes left, not right. So the agent meets at 2, not 12. Those things could get people killed," and that, says Geers, is not hyperbole. A cyberattack, he says “is not an artillery barrage, but you could lead troops into an artillery barrage” with a cyberattack.

The changes could be smaller, he says, to less critical systems, and maybe socks get sent to the base that needs more bullets and bullets get sent to the base that needs more socks. Regardless, it's a matter of diminished integrity, says Geers -- diminished integrity of data, of systems, and of people.

Once citizens' trust in their own nation is compromised, they could be open to other kinds of manipulation, like "psyops," (psychological operations), the process of changing people's minds -- something Geers says Russian intelligence is particularly good at. 

Regardless of what skeptics believe, NATO officially declared cyberspace a domain for war in June, which would mean that an act of war in cyberspace would initiate a collective response by NATO allies. (Neither Russia nor Ukraine are NATO member countries.)

Geers says that governments will spend “ungodly” amounts to prepare the battle space for the military, and that he's sure they are investing heavily in ways to compromise military vehicles.

"They're floating, driving, and flying computers at this point," he says. 

What has become clear to Geers and his co-authors of the NATO CCDOE book is that as geopolitical tension rises, not only does the amount of malware traffic rise -- as Geers reported in 2014 -- but so does the number of sophisticated cyberattacks. Which one is driving the other?

To this point, says Geers, geopolitics has been driving the cyber activity -- with both intelligence agents and opportunistic financially driven attackers upping their game when the action gets hot. However, he says, “the ubiquity of computers will mean they’ll begin to play a lead role.”

Related Content:

Black Hat’s CISO Summit Aug 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
7/8/2016 | 6:33:51 AM
Cyber Warfare the Latest Spoof.
Like terrorist attacks hacking and cyberattacks are only really credible when they are effective. Pointing to a smoking ruin, or a bloody massacere or a nuclear program on the rocks is proof that cyber, or other terrorist attacks,  attacks are effective. Claiming to have averted such attacks - as in the election attacks in Ukraine - is as miuch the stuff of fiction as movied adaptation of historical fact.  There is business and vast wealth  in Cyber defense and like any good anti-virus program - discovering your problems and offering a solution for them is the best marketing money can buy.


The lovely thing about cyber attacks is that they create excuses, fingers can be pointed and the 'proof' is not really required (or comprehensible).  Much like the current Ukrainian political  situation.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).
PUBLISHED: 2021-06-24
Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix).
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be availab...
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services.
PUBLISHED: 2021-06-24
** UNSUPPORTED WHEN ASSIGNED ** A privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to escalate privileges. Affects all 7.x versions of Avaya Aura Utility Services.