In this second blog post in our series on Geopolitics in Cyber Threat Intelligence, we will explain what is meant by geopolitics, how it is intertwined with cybersecurity, and how QuoIntelligence includes geopolitics in its cyber threat intelligence analyses.
Missed Part I? Revisit it here to read about our approach to cyber threat intelligence.
Geopolitics by definition
Geopolitics is the study of how geography affects politics and international relations; and attempts to explain the actions, interactions, and relations between countries. Traditionally, geopolitics is concerned with interactions in relation to geographical spaces. However, the continuous digitization of all aspects of everyday life and the world’s increasing reliance on the Internet has developed cyberspace into an additional space in which nation–states can cooperate with and compete against other nation–states.
How the Internet Helps Populating Geopolitically Motivated Cyber Attacks
The Internet has established itself as an alternative to physical interaction and operations for several reasons:
Cheap and readily available:
Cyber campaigns are relatively affordable compared to conventional armed forces. For example, Distributed Denial of Service (DDoS) attacks, which are a common attack method for nation-states, cost on average EUR 350 (USD 416) per day but can potentially cause devastating impacts to the targeted entity, such as the cost of loss of operations and disruption of essential services. In addition, cyber campaigns can be launched quickly and in near-real time, unlike physical operations that can require extensive preparation phases.
Plausible deniability:
Governments can operate in cyberspace to target adversaries while retaining some deniability at the same time. State-sponsored Advanced Persistent Threat (APT) groups are, by definition, highly skilled; therefore, detecting their operations and then attributing these to certain states can be difficult. In addition, governments can also use cyberspace to conduct operations that appear as if other actors conducted them or were in the interest of another state, so called ‘false flag’ operations. False flag operations can allow governments to shift the blame or punish other states for the alleged operations. For example, in 2018, a cyber sabotage campaign targeted the PyeongChang Winter Olympics with a malware called OlympicDestroyer. The operators behind the campaign disguised the attack to appear as if the North Korean group Lazarus launched it by employing tactics frequently used by Lazarus. Several researchers initially attributed the attack to North Korea, and only after additional analyses, it became clear that the attacks were a false flag operation. US intelligence agencies later attributed the attack to a Russian state-sponsored group, Sandworm.
Retaliation under the threshold of armed force
Cyberspace also allows nation–states to conduct more nuanced attacks against adversaries, depending on the severity of the situation. States can conduct attacks that remain under the threshold of armed conflict, thus, not severe enough to justify physical retaliation, as defined by international law. The legality of when nation-states can use armed forces in retaliation to provocation is defined by jus ad bellum. According to the law, retaliation is justified when one state threatens the territorial integrity or political sovereignty of another state. While frameworks on the acceptable behavior by nations in cyberspace exist, most commonly known is the Tallinn Manual 2.0, they are not internationally recognized or legally binding.
Cyberspace as a Mirror for Global Geopolitical Tensions
At the same time, nation–states are using cyberspace to further pursue their own goals. As the Internet is used to transfer and store highly sensitive information, transmit essential communication, operate critical infrastructure, and much more, it is an attractive target to further various means, including:
Target adversaries
In the worst case, cyberattacks can result in destruction and death, for example, when actors target critical infrastructure. In 2020, a ransomware attack on a German hospital indirectly contributed to the death of a woman. The death occurred during the patient’s transfer to another hospital after the compromised hospital was unable to admit new patients. Retaliatory and limited cyberattacks frequently accompany geopolitical tensions. There are several examples for this, such as operations attributed to Russian cyber actors targeting Ukrainian targets or Turkish and Greek hacktivist groups claiming cyberattacks on the other country during the height of tensions between them in 2020.
Espionage
Nations are frequently using cyberspace to enable espionage, including governmental, military, and industrial espionage. Germany, for example, sanctioned Russia in 2020 over an alleged cyber espionage attack against Germany’s parliament in 2015, that was attributed to Russian threat actors. In terms of industrial espionage, the EU and the US are continuously accusing China of using state-sponsored cyber actors to target organizations to illegally obtain intellectual property, especially organizations operating in industry sectors of Chinese interest.
Financial gain
Cyberspace can also remain the only viable option for states to conduct operations if they are economically and diplomatically isolated due to sanctions. For example, North Korea reportedly uses state-sponsored cyber groups frequently to conduct operations for financial gain, such as targeting cryptocurrency exchanges to fund North Korea’s military expansions. In addition, North Korean actors reportedly conduct industrial espionage to further their own goals, as well as by necessity, as they are largely excluded from international cooperation. Recently, North Korean-linked cyber actors reportedly targeted COVID-19 vaccine makers.
Given the extensive and varied uses of cyberspace and the fact that geopolitical tensions are often mirrored in cyberspace, understanding geopolitics is important when analyzing current threats, as well as assessing and forecasting potential future threats.
Forecasting Cyber Threats with the Help of Geopolitical Analyses
Geopolitical analysis helps in forecasting potential cyber operations that will take place in the future. Given how geopolitical events are often mirrored in cyberspace, understanding the current geopolitical landscape helps in identifying trends, patterns, and early indicators of potential future threats. For example, in February 2020, QuoIntelligence released a preparedness and response checklist for CISOs to mitigate the risks stemming from the newly discovered COVID-19 pandemic. We warned early on that cyber actors are likely to leverage the pandemic to further their own goals, and shortly after, we observed how our forecast was realised when APT groups and cybercriminals actively abused the pandemic in their campaigns. For example, cyber actors targeted health care providers and Distributed Denial of Service (DDoS) attacks rapidly increased as companies already struggled with limited available bandwidth due to the sudden shift to remote work.
In addition to geopolitical tensions, upcoming diplomatic events and economic policies may trigger espionage or retaliatory cyber incidents. Examples include G20 summits, which may be accompanied by espionage campaigns to identify the other parties’ negotiation positions. Further, governmental and economic policies can provide an insight into future priority areas of governments, such as China’s Five–Year Plans, which could result in industrial espionage efforts to achieve these goals.
At the same time, geopolitical insights support the analysis of current cyberattacks to better understand the context in which the attack took place. Knowledge on geopolitical development can support identifying the aim of the cyber operation and thus potentially help in attributing activity to certain actors or nation–states. Indicators in attack campaigns, for example, the language used, the time when operators are online, the targeted countries or particular industry, can give valuable information on who might be behind those attacks. The correlation between cyberattacks and geopolitical tensions could be observed in Ukraine. After Russia annexed Crimea in 2014, political tensions between Ukraine and Russia were frequently mirrored in cyberspace. For example, between 2015 and 2016, several destructive malware campaigns targeted Ukraine’s electric power grid and government entities. US intelligence agencies attributed the attacks to the Russian state-sponsored group Sandworm, and in 2020, the US indicted alleged Sandworm members.
Incorporating Geopolitics into Threat Intelligence Reports & Country Risk Profiles
In order to understand the goals and ambitions of nations, QuoIntelligence has a dedicated geopolitical team that continuously observes and analyzes the geopolitical landscape, taking into consideration, among others:
Diplomatic tensions
In order to understand the main challenges and power competition globally, we record and analyze the reasons and outcome of diplomatic tensions,
which includes analyzing governmental competition and cooperation, international economic indicators, such as trade, and emerging global threats.
Domestic developments and interests
We keep track of domestic developments, including cybersecurity and data privacy regulations, cybersecurity within the military, the inclusion of cybersecurity in strategic planning, and state-sponsored APT groups. This provides us with information on the ambitions, interests, and capabilities of nation-states.
International law and framework
We scan international laws governing cyberspace, multinational cooperation, and developments that can shift global security dynamics and affect, directly or indirectly, relevant sectors.
In addition to incorporating geopolitical analysis in our regular Threat Intelligence reports, QuoIntelligence continuously updates its country risk profiles and threat actor catalog to track recent and potential future developments. These comprehensive and actionable catalogs provide in-depth insights and are curated to meet the needs of our clients by highlighting developments and trends, which are likely to impact our clients’ locations, industry sector, or assets.
To be continued…
In the next part of this series, we will explain why the geopolitical influence on cyber threats also impacts companies and explain how we provide companies with customized and actionable intelligence products to incorporate country risk analyses in their risk mitigation plans.
Do you want to stay informed of cyber and geopolitical threats targeting your organization? Are you interested in receiving exclusive and unpublished intelligence?