Washington is hosting the NATO 75th Anniversary Summit from July 9 to July 11, 2024. This pivotal meeting includes heads of state, senior military personnel, and experts from 32 NATO members. The summit is crucial for the Alliance to bolster support for Ukraine, enhance NATO’s defense capabilities in the wake of Russia and China’s increasingly aggressive stance, expand global partnerships, and address key geopolitical challenges.
In keeping with their established patterns, particularly in the aftermath of the conflict in Ukraine, hacktivists have been quick to target the Washington Summit. The ongoing developments among NATO allies to back Ukraine in the ongoing conflict have already drawn multiple attacks on the digital infrastructure of these countries over the last two years. But this time, the Hacktivist collectives have planned to run a propaganda campaign against NATO by launching a series of targeted Distributed Denial of Service (DDoS) attacks on NATO websites. These futile attacks, even though more propagandist in nature, seem to be intended to prevent NATO from giving further military and financial assistance to Ukraine and sway public opinion against Ukraine’s NATO membership, which is likely to be discussed in the Summit.
Figure 1: Post on the People’s Cyber Army Telegram Channel
As expected, the prominent hacktivist groups mentioned below have joined forces to lead an anti-NATO campaign and launch coordinated attacks.
- People’s Cyber Army (APT44)
- NoName057(16)
- UserSec
- Anonymous Central Russia
- CyberVolk
- Phantom Group
- Hacker Council
- 7 October Union
Escalating Propaganda Against the NATO Alliance
The anti-NATO campaign, initiated with Noname057(16), targeted Czech governmental and financial institutions. It followed Czech Prime Minister Petr Fiala’s announcement on June 29, 2024, about finalizing security agreement negotiations with Ukrainian President Volodymyr Zelensky before the upcoming NATO summit in Washington. The signing of this agreement was scheduled for July 18.
Then, in early July this year, NoName057(16) attacked the internet infrastructure of another NATO member – Denmark, following the decision of the Danish government to train an additional 50 Ukrainian F-16 pilots.
Simultaneously with the attack on the NATO Summit, NoName057(16) attacked the Netherlands after it was reported that the Netherlands would deliver the first US F-16 fighter jets to Ukraine without delay. The newly appointed Dutch Foreign Minister Caspar Veldkamp announced this at a press conference in Kyiv on 7 July.
Since the beginning of July, Russian hacktivist groups claimed coordinated and persistent DDoS attacks targeting NATO’s Crisis Management and Disaster Response Centre of Excellence, Allied Special Operations Forces Command, Munitions Safety Information Analysis Center (MSIAC), and several other critical sites. On Wednesday, the 7th, the hacktivist group NoName057(16) persisted in DDoS attacks. The targets included the NATO Munitions Safety Information Analysis Center (MSIAC) portal, the NATO NEC CCIS Support Center portal, and GLOBSEC, a global think tank based in Bratislava and a partner of NATO.
It’s worth mentioning that Russian hacktivist groups in these attacks were accompanied by their new allies: CyberVolk (pro-India), Hacker Council (international), and 7 October Union (Alliance of 42 Pro-Palestine and Anti-Israeli groups).
Preemptive Threat Activity Targeting NATO
Starting on 27 June, CRIL noticed an increase in data leaks related to NATO organizations. Both hacktivist groups and TAs active in underground forums published unclassified documents containing PII of NATO members, budgets, procedures, and information related to several key events. In addition to the leaks, there was a notable sale of a Belgian defense company access on a Russian forum, highlighting another vulnerability of NATO members before the summit.
The hacktivists’ preparation for the NATO forum, coupled with the publication of the leaked documents, underscores their strategic intent to highlight the alliance’s susceptibility to cyber threats posed by Russian and other anti-NATO entities.
Pro-Russian hacktivists have meticulously tracked the media’s response to their attacks and leaks. A key objective was to showcase the prowess of Russian hacktivists to a Russian-speaking audience as part of domestic propaganda. Additionally, they aimed to impress foreign audiences, continuing their influence campaign to undermine support for Ukraine.
- On June 29, a TA, on an active data leak forum, posted documents allegedly stolen from a NATO unclassified information-sharing and collaboration environment dedicated to supporting NATO organizations and nations. Analysis of the leak shows several unclassified documents from 2016 until June 2024 related to the usage of NATO frameworks, financial budget execution, and applications/portal configurations and procedures. In addition, the leak includes a list of 362 members with their professional email addresses.
- On July 7, a TA leaked personally identifiable information (PII) data of the participants of NATO’s biannual event. According to the TA claims, the breach occurred in July 2024. The data breach includes the full name, UUID, modification date, profile image, nation, organization, designation, email address, and phone number.
- On July 7, a pro-Russian hacktivist group, SiegedSec, leaked approximately 248MB of data on their Telegram channel, allegedly stolen from a NATO portal related to cyber defense operations. Further analysis of the leak reveals that they obtained member access to the NATO portal. The analysis of the leaked documents also shows several NATO invitations, agendas, and announcements marked as NATO UNCLASSIFIED for the members of the cyber defense group from 2004 to June 18, 2024.
- On July 7, the pro-Russian group Anonymous Central published three internal NATO documents. The documents did not contain any classified information.
- In addition to the leak published on July 7, the hacktivist group SiegedSec shared a link on June 26 containing previously leaked data from two alleged breaches of NATO that took place in 2023. Our observations indicated that other members of low-level hacking forums actively shared the link and data.
Conclusion
Hacktivist groups consistently target major international forums, aiming to amplify their media presence and increase their visibility. The attacks on the NATO Summit serve a dual purpose: they underscore the persistent threat posed by Russian and anti-Western forces to global security, and they highlight the evolving strategies within hacktivist collectives, evidenced by the involvement of new participants from various countries. This development signifies a shift in their collaborative tactics, warranting close observation as the situation unfolds, particularly in the context of the ongoing war in Ukraine.
Being the most preeminent military alliance/mutual defense pact in the current world order has made NATO a prime target for a wide range of hackers. Compromises of NATO by underground threat actors and hacktivist groups elevate their notoriety and draw significant attention from “Dark web” actors and media, fulfilling the aspirations of these entities and the causes they are aligned to.
The beneficiaries of these underground activities could be the state and non-state actors, who can use the leaked data for their social engineering and intrusion operations. Furthermore, the fact that several DDoS activities target NATO could create gaps in cyber defense activities by increasing the attention and focus on low-level attacks rather than sophisticated ones.
The increasing sophistication and international collaboration of hacktivist groups targeting NATO highlight a growing cyber threat to global security, necessitating vigilant monitoring and enhanced cybersecurity measures.
