NATO and the EU accused Russia of carrying out an “aggressive hybrid warfare” against Western nations targeting governments, militaries, and critical infrastructure.
The campaign includes physical sabotage, a flood of disinformation, increased espionage, jamming of GPS signals for civilian aviation, and massive cyberattacks, NBC News reported on May 13.
On May 3, the U.S. State Department condemned Russia’s malicious cyber activity, linking it to APT28, a unit within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, formerly the General Staff Main Intelligence Directorate (GRU), or Russian military intelligence.
The U.S. Department of Justice working with Germany, uncovered “a network of hundreds of small office/home office routers that APT28 was using to conceal and carry out malicious activity” against targets in Germany, Czechia, Lithuania, Poland, Slovakia, and Sweden, the state department said.
Russian ambassador to the U.S. Anatoly Antonov denied the accusations, calling them "insinuations" and “provocative stories,” and claiming falsely that the U.S. presented no evidence.
Antonov used the Kremlin’s classic disinformation tradecraft to deflect blame for the cyberattacks by manipulating statistical data.
In a post on the Russian messenger app, Telegram on May 3, Antonov said:
“…according to statistics, the vast majority of computer attacks in the world occur from the territory of the United States."
That is misleading.
Cyber threat analysts identify a spectrum of at least five types of cybercrimes, in which cyberattacks with a political dimension stand out as a separate type. Russia ranks top among countries involved in cybercrimes carried out by Nation-State Threat Actors and Advanced Persistent Threats (APTs) operating with state support.
Antonov omitted the distinction, referencing instead generalized non-specific raw statistic data that includes all types of cybercrimes and ignores the fact, that hackers can easily fake their geographical location.
One example of such a generic database is a report Cloudflare, Inc., an IT service management company, released in April, listing Distributed Denial of Service or DDoS attacks designed to overwhelm a targeted server with HTTP requests, and L3/4 attacks, which target network infrastructure.
Cloudflare found that for the first quarter of 2024, the United States was both the “largest source” and “the primary target” of HTTP DDoS attack traffic and the L3/4 attacks.
Microsoft concurred, saying the U.S. bears "the brunt of 54 percent of all attacks.”
Scholars argue that valid and reliable data on the geography of cybercriminal activity is “complex and unresolved.”
A group of cyber analysts and investigators from the British Oxford University and the Australian New South Wales and Monash Universities identified five types of cybercrime in a three-year study released in April. The research resulted in the first World Cybercrime Index, “a global metric of cybercriminality.”
“Although the geography of cybercrime attacks has been documented, the geography of cybercrime offenders — and the corresponding level of ‘cybercriminality’ present within each country — is largely unknown,” the report said.
Cybercriminals use proxy services to hide their IP addresses and carry out attacks across national boundaries, complicating efforts to “capture the true geographical distribution of these offenders,” the scholars noted.
“Where the cybercriminals live is not necessarily where the cyberattacks are coming from,” the researchers wrote. “An offender from Romania can control zombies in a botnet, mostly located in the United States, from which to send spam to countries all over the world, with links contained in them to phishing sites located in China.”
To fix that problem, the researchers designed a survey asking 92 cybercrime experts around the world to “nominate the countries that they consider to be the most significant sources” of each of the five major types of cybercrime.
They found that a relatively small number of countries housed the greatest cybercriminal threats.
Russia ranked as the country with the top cybercrime threat level, followed by Ukraine, China, the United States, and Nigeria.
The respondents linked the Russian state to most cybercrimes with a political dimension, which include attacks on critical infrastructure, attacks on political targets, attacks conducted by state-affiliated groups, and attacks conducted by nation-states.
The European Repository of Cyber Incidents (EuRepoC) recorded 2,908 “cyber incidents with a political dimension” between January 2000 and May 2024.
During that time, Russia-based actors carried out the largest number of cyber incidents with a political dimension.
Seventy-eight Russian threat groups carried out 331 cyber incidents globally. Two GRU-linked cyber espionage groups are among the top 10 actors to initiate cyber incidents worldwide.
EuRepoC further documented 107 threat groups based in China that carried out 313 cyber incidents.
By contrast, 39 U.S.-based groups carried out 62 cyber incidents during the same time.
Last month, Microsoft Threat Intelligence published the results of its investigation into the activity of “Russian-based threat actor Forest Blizzard,” also known as APT28 or Fancy Bear. According to that research, APT28 exploited a flaw in the Microsoft Outlook email service to conduct its multi-year campaign against European targets.
Microsoft said that Forest Blizzard “primarily focuses on strategic intelligence targets,” including government, energy, transportation, and nongovernmental organizations in the United States, Europe, and the Middle East.
Microsoft noted an increase of such attacks targeting the EU. It tied the change to “geopolitical conflicts,” with “pro-Russian hacktivist groups intensifying their onslaught against Europe and the United States.”
As a part of this sequence, Cloudflare reported a 466% surge in DDoS attacks on Sweden after the nation joined the NATO alliance, “mirroring the pattern observed during Finland's NATO accession in 2023.”
