There has long been a military red line that NATO says Russia must not cross. Now it has drawn a cyber red line.
On May 3, the German government denounced APT28 for a cyberattack against the SPD political party using a Microsoft Outlook vulnerability that allowed “data to be leaked without user interaction”. Germany took a very strong diplomatic position, summoning Russia’s representative, and then recalling its own Russian ambassador for talks. Annalena Baerbock, the German foreign minister, added, “This is absolutely intolerable and unacceptable and will have consequences.”
On the same day, but separately, Czechia’s Ministry of Foreign Affairs (MFA) issued a statement: “[Czechia] strongly condemns activities of the Russian state-controlled actor APT28, who has been conducting a long-term cyber espionage campaign in European countries.”
On the same day, but separately, NATO released a statement: “We stand in solidarity with Germany following the malicious cyber campaign against a political party, in this case the Social Democratic Party…” The statement notes further malicious activity “in Lithuania, Poland, Slovakia and Sweden.”
On the same day, but separately, an EU statement declared: “[The EU and member states] strongly condemn the malicious cyber campaign conducted by the Russia-controlled Advanced Persistent Threat Actor 28 (APT28) against Germany and Czechia.”
On the same day, but separately, the UK issued a statement: “The United Kingdom has joined with its international partners to condemn malicious cyber activity by the Russian Intelligence Services.”
This is clearly a strong and coordinated statement by NATO allies warning Russia to curtail the activity of APT28. However, the only specific accusation is an attack against a political party, which would normally be classified as cyberespionage rather than cyberwar. Espionage is generally denounced but tolerated because it is statecraft used by everyone rather than warcraft practiced by nations in a declared state of war.
‘Cyberwar’ is only attributed to destructive attacks, especially against critical industries, that lead to death or harmful disruption. In this case, there is no such specific allegation against Russia. The NATO group statements do, however, include several hints about the real concerns.
The German statement includes, “In addition to cyber espionage, Russia also considers cyber sabotage as options for action, with collateral damage and spillover effects being ruthlessly accepted.” The UK said this case “is the latest in a known pattern of behaviors by the Russian Intelligence Services to undermine democratic processes across the globe.” This is, remember, almost a global election year.
Czechia said, “Cyberattacks targeting political entities, state institutions and critical infrastructure are not only a threat to national security, but also disrupt the democratic processes on which our free society is based.” NATO said, “We remain committed to countering the substantial, continuous and increasing cyber threat, including to our democratic systems and our critical infrastructure.” The EU added, “The EU will not tolerate such malicious behavior, particularly activities that aim to degrade our critical infrastructure, weaken societal cohesion and influence democratic processes.”
Although the attack against the German SPD is technically cyberespionage, the NATO countries are primarily concerned about election interference and destructive attacks against critical industries. These two activities are often considered as separate threats, with election interference as more annoying than seriously harmful. This is wrong, and underestimates Russia’s long term objectives: weakening liberal democracies simultaneously strengthens Russia’s physical position.
The first notable instance of Russian election interference came with the US 2016 elections. Given the time necessary to plan and implement such activities, it can be considered as concurrent with Russia’s annexation of Crimea in 2014. That annexation was the beginning of the Russia/Ukraine war, and the start of the active intent to ‘annex’ the whole of Ukraine. The thorn was, and remains, NATO.
Russia’s intent in election interference – in both the US and Europe (including the Brexit referendum) – is always to return as many pro-Russia or at least Russia-sympathetic politicians as possible. And if that weakens NATO, that is simply a major bonus. Simultaneously, Russia has been searching for, and recruiting and supporting, individual European politicians with a more favorable view of Russia. The attack against the SPD should be seen in this light – the acquisition of usable personal intelligence. It is no coincidence that the rise of the ‘far right’ in Europe with sympathies toward Russia has spiraled during the same period.
The result of Russian election interference is that it makes both cyberwar and kinetic war easier and potentially more successful, and is a major part of ongoing Russian hybrid warfare. But why has NATO voiced such a coordinated and forceful statement right now? SecurityWeek turned to John Hultquist, chief analyst at Mandiant Intelligence.
“The difference is that this is APT28. Its modus operandi is to hack and leak, and it’s getting too close to the elections for comfort. Even though cyberespionage is sort of the status quo, election interference by hacking and leaking is considered beyond the pale.” So, for interfering with western liberal democracies by hacking and leaking – which is what APT28 does – NATO is warning Russia not to cross the line.
It’s worth noting that APT28 is not alone in this type of activity. Although all the NATO countries specify APT28, the UK is alone in mentioning Star Blizzard. In December 2023, the UK exposed attempted Russian cyber interference in politics and democratic processes. On the same day, CISA issued a similar advisory against Star Blizzard: “The Russia-based actor is targeting organizations and individuals in the UK and other geographical areas of interest.”
In February 2024, Mandiant detected APT29 also targeting German political parties. In its report, published March 22, 2024, Mandiant notes: “This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions.”
APT28 is run by the GRU, Russia’s military intelligence agency. Star Blizzard is run by the FSB, Russia’s Federal Security Service (successor to the Soviet Union’s KGB, and the principal security agency). APT29 is run by the SVR, Russia’s external intelligence service with a focus on political intelligence.
The GRU, the FSB, and the SVR are Russia’s three primary intelligence agencies, and they are all active in the run-up to the liberal democracy elections this year. The purpose is beyond any reasonable doubt: to shape them to Russia’s benefit. The only remaining question is, ‘why are the NATO countries focusing on APT28?’
On May 9, 2024, Bloomberg reported, “Russian sabotage, spying and Intimidation Is spreading in Europe: from London to Berlin; GRU seen as behind a series of attacks.” This is physical, not cyber. But back to Hultquist…
He introduces Sandworm – a group that overlaps with APT28 and is also operated by the GRU. He further notes the NATO country statements bring up threats to critical industry as well as electoral interference. “They [Sandworm] are the ones who turn off the lights again and again and again. The GRU has done that more than anybody else. And APT28 and Sandworm work together. They coordinate on certain things, and I think they pass targets between each other.”
Simplistically, you could say that APT28 gathers the information that could be used to flip some politicians and embarrass others. But it could also be used to target critical industries for Sandworm to attack. And that method could be simpler than we think. Remember, government agencies attributed NotPetya to Sandworm, but the courts refused (for insurance purposes) “to delineate the exact scope of what cyberattacks might be encompassed under the hostile/warlike exclusion.” In short, we know a Russian government agency instigated NotPetya, but with no legal definition of cyberwar, there is nothing we can openly do about it.
It would be wrong to dismiss election interference as separate to and less worrying than destructive cyberattacks. Weakening liberal democracies and weakening the NATO alliance are conjoined in the hybrid war that Russia is conducting against Ukraine in the short term, and the West in the long term. This may not technically be cyberwar, but it is certainly cyberwarfare. And it is a potential cyberwarfare that can be used to prepare the battlefield for kinetic war.
“I don’t think there is any coincidence in this focus on the Russian intelligence agencies – and the GRU in particular – by the NATO countries,” said Hultquist. “The governments are rightly concerned about these actors and are making public statements rather than trying to manage things quietly behind the scenes. There comes a point where you must fight against this type of activity in the open, and say openly this is what is happening, and these are the people doing it.”
This is what happened in the early days of May 2024. The NATO alliance has said clearly to Russia and the rest of the world, we see you, we are watching you, don’t do that. There may even be a hint at NATO’s Article 5: an attack against one NATO member is an attack against all NATO members, and likely to result in a collective response.
APT28 is also known as APT-C-20, ATK5, Blue Athena, FANCY BEAR, FROZENLAKE, Fighting Ursa, Forest Blizzard, G0007, Grey-Cloud, Grizzly Steppe, Group 74, Group-4127, IRON TWILIGHT, ITG05, Pawn Storm, SIG40, SNAKEMACKEREL, STRONTIUM, Sednit, Sofacy, Swallowtail, T-APT-12, TA422, TG-4127, Tsar Team, TsarTeam, UAC-0028
Sandworm is also known as APT44, Blue Echidna, ELECTRUM, FROZENBARENTS, G0034, IRIDIUM, IRON VIKING, Quedagh, Seashell Blizzard, TEMP.Noble, TeleBots, UAC-0082, UAC-0113, VOODOO BEAR
Star Blizzard is also known as Callisto, BlueCharlie, COLDRIVER, GOSSAMER BEAR, Reuse Team, SEABORGIUM, TA446
APT29 is also known as ATK7, Blue Kitsune, BlueBravo, COZY BEAR, Cloaked Ursa, G0016, Grizzly Steppe, Group 100, IRON HEMLOCK, ITG11, Midnight Blizzard, Minidionis, Nobelium, SeaDuke, TA421, The Dukes, UAC-0029, YTTRIUM
Related: Kapeka: A New Backdoor in Sandworm’s Arsenal of Aggression
Related: Recent OT and Espionage Attacks Linked to Russia’s Sandworm, Now Named APT44
Related: Russian Hackers Target Industrial Systems in North America, Europe
Related: Russian APT Used Zero-Click Outlook Exploit (APT28 targeted NATO countries and Ukraine)
