Cybersecurity blog header

Cyber-attacks against the defence sector. A new war front

Cyber-attacks against the defense sector have increased as a result of the current geopolitical situation

The sophistication and impact of cyber-attacks against the defence sector force organisations to improve their cyber resilience against advanced persistent threats

In early 2024, Ukraine announced that Russia had hacked video surveillance cameras and used them to spy on the country’s air defence systems and critical infrastructure in its capital. In both the Ukraine war and the Israel-Hamas conflict, cyber-attacks against the defence sector play a crucial role in military strategy.

Beyond the ongoing military conflicts, cyber-attacks against the defence sector have become one of today’s major threats to global security. Highly prepared criminal groups, financed by states such as Russia, North Korea or Iran, and with a large number of economic resources at their disposal, are targeting companies in the defence sector and entities essential to the defence of states.

The concern generated by cyber-attacks against the defence sector has led the European Union to launch the EU Policy on Cyber Defence, focused on creating mechanisms for collaboration between the public and private sectors and between the different countries of the Union and standardising cybersecurity tests.

On the other side of the Atlantic, at the end of March 2024, the US Department of Defense published a cybersecurity strategy to improve the defence industry’s cyber resilience. The plan includes up to 12 objectives, from enhancing collaboration between the public and private sectors to assessing defensive capabilities and optimising incident response.

Below, we will break down some of the key aspects of cyber-attacks against the defence industry and how organisations can improve their resilience to advanced persistent threats (APTs).

1. Supply chain attacks: Technology suppliers in the eye of the storm

As in other areas, many cyber-attacks against the defence sector exploit vulnerabilities in organisations’ supply chains.

For example, in early March, the US National Security Agency (NSA) reported that a Chinese-linked cybercriminal group, UNC5325, exploited vulnerabilities in Ivanti’s remote access VPN software to attack US defence companies.

Also, a few days earlier, in February 2024, German and South Korean intelligence agencies made public that they had detected a cyberespionage campaign against the global defence sector sponsored by North Korea. With what objectives? To steal information on cutting-edge military technology:

  • To modernise the North Korean military’s weapons.
  • To develop new military capabilities.

One of the two cases explained by the intelligence agencies involved a supply chain attack. A North Korean agent successfully attacked the company in charge of maintaining the centre’s servers before breaking into the systems of a maritime technology research centre.

After obtaining access credentials to the research centre’s server, the criminal could download malware onto the server, perform lateral moves, persist from the stolen account, and distribute malicious patches.

2. Social engineering and malware: A dangerous duo that never goes out of style

The other case made public by German and South Korean intelligence agencies involved the North Korean cybercriminal group, Lazarus. This group has launched its Operation Dreamjob tactic against companies in multiple sectors and countries, including the defence sector.

In fact, in September 2023, it had already been published that Lazarus had successfully attacked a professional of a Spanish aerospace company thanks to this tactic that combines social engineering and malware.
Criminals create fake profiles on social networks and job portals and communicate with the victim, lasting for days, weeks, or even months until they build a trusting relationship. At this point, the criminals send a PDF with a theoretical offer to the professional. However, this file is infected with malware that allows the group to infiltrate the company’s corporate network where the professional works.

This tactic shows us how the combined use of social engineering and malware is behind numerous cyber-attacks against the defence sector. As recently as the end of March 2024, it came to light that several Indian organisations linked to the defence sector and other strategic areas, such as energy, were victims of a campaign that used social engineering techniques to infect corporate networks with malware and exfiltrate almost 9 GB of data.

Also, in February 2024, it was revealed that a Chinese cyber-espionage group had been able to infect devices belonging to the Dutch Ministry of Defense with malware to gain access to confidential R&D&I information.

Defense contractors and states must improve their resilience to APTs

3. Using IoT devices to steal intellectual property and access critical data

The case with which we open this article is evidence of a growing trend: attacks that exploit vulnerabilities in IoT devices.

The expansion of these devices in enterprises and public institutions has made them attractive targets for criminal groups seeking to spy on the defence industry and obtain strategic information about states’ security and intelligence services.

Many smart devices used in organisations present vulnerabilities, as Tarlogic’s Innovation team revealed when designing BSAM, a methodology to audit devices that use Bluetooth technology to communicate and detect security breaches in this global standard.

Thus, in addition to the use of malware to infiltrate corporate systems, steal information or cause business disruptions, companies in critical sectors such as defence must contemplate the possibility of hostile actors hacking devices and using them to:

  • Stealing intellectual and industrial property. As noted above, some cyber-attacks against the defence sector aim to obtain information on cutting-edge technology of the highest value.
  • Discover ongoing research.
  • Gain access to information critical to the defence of states.
  • Obtain intelligence data of great geopolitical relevance.

4. APT groups and geopolitics

A few weeks ago, the US Department of Justice brought charges against an Iranian citizen for committing cyber-attacks against the US defence sector, including both government agencies and defence contractors, to steal sensitive information.

At the same time, it became public that a criminal group linked to the Iranian Revolutionary Guard was behind a cyber espionage campaign against defence companies in the Middle East (Israel, United Arab Emirates, Turkey). Thanks to two backdoors, they obtained access credentials to corporate systems and executed other malware to spy on organisations.

The different cases we have collected in this article allow us to visualise two critical aspects related to cyber-attacks against the defence sector:

  • They are carried out by groups of cybercriminals with extensive experience and a wealth of knowledge who design their tactics, techniques and procedures (TTPs) and develop increasingly sophisticated malware that is difficult to detect, contain and eradicate.
  • These groups are linked to states at odds with Western democracies on the geopolitical chessboard: Iran, Russia, North Korea, China, etc. This gives them access to the resources they need to implement advanced persistent threats.

For all these reasons, state-sponsored APT groups have become a critical threat to the public sector and the defence industry, which must implement advanced cybersecurity strategies and take a proactive approach to this kind of threat.

Cyber-attacks against defense sector aim to steal priceless intellectual property

5. The rise of the European defence industry and its protection

Current military conflicts and geopolitical and economic disputes have spotlighted defence policies. For this reason, several agreements have been recently approved within the European Union to strengthen military cooperation and increase defence investment.

In the coming years, the defence industry will be critical and, together with other sectors, such as aerospace, will lead the development of innovation and research projects.

Given this scenario, increasing the sector’s resilience will be vital to protect its intellectual property and prevent hostile actors from gaining access to information critical to European security.

Therefore, as part of the strategy to increase the defensive capabilities of critical sectors against cyber-attacks, which was brought to the regulatory arena with the approval of the NIS2 directive, the focus is also being placed on the need to prevent cyber-attacks against the Union’s defence sector.

6. Improving organisations’ cyber resilience against cyber-attacks against the defence sector

What can defence organisations do to increase their resilience to advanced persistent threats? Have APT Resilience Enhancement service that combines:

  • Red Team services‘ offensive capabilities, simulating APT scenarios to test how an organisation’s defensive capabilities respond.
  • Proactive Threat Hunting services that investigate malicious techniques, identify opportunities for improvement and help optimise detection and response mechanisms at the endpoint.

Thanks to APT Resilience Improvement, it is possible to objectively evaluate an organisation’s level of resilience against sophisticated, targeted and persistent attacks such as those carried out by APT groups and the risk of suffering these attacks.

In addition, they allow analysis of the detection, mitigation and response procedures of these threats and strengthen the training and capacity building of defensive teams such as the Blue Team.

6.1. From vulnerability management to incident response

Likewise, organisations must have essential cybersecurity services today, such as:

  • Vulnerability management and detection of emerging vulnerabilities.
  • Security audits of their IT assets: websites, mobile applications, IoT devices such as Bluetooth devices, cloud infrastructures, etc., as well as social engineering tests.
  • Proactive incident response service to respond to an attack in less than 1 hour, contain malicious actors, minimise the impact of their activities and protect business continuity.

In short, cyber-attacks against the defence sector are one of the most critical trends in the current landscape, both in terms of the organisations being attacked and the capabilities and resources of APT groups and their targets.

Therefore, public entities and the defence industry must improve their resilience to targeted and sophisticated attacks and protect the information they hold, which is critical in both economic and security terms, to the maximum extent possible.