According to the United Nations, the world witnessed a significant rise in violent conflicts in 2023 that reached unprecedented levels not seen since World War II. This increase in global tensions continues to impact the cybersecurity landscape profoundly.
States primarily responsible for these developments are known as the ‘Big Four’, namely Russia, China, Iran, and North Korea are nation states that are considered by global law enforcement to pose the greatest threats to Western interests.
Recent foreign affairs developments involving these nations have resulted in collaborated efforts in cyber space. A few of these collaborations have a huge influence on the rest of the world. Russia and North Korea recently signed a mutual defense pact following the Kremlin vetoing UN sanctions of North Korea. Pyongyang has been reported to have supplied military hardware and munitions to Moscow to bolster its invasion of Ukraine. Iran attacks Western targets through its Axis of Resistance Houthi rebel faction in the Red Sea while providing Chinese and Russian ships safe passage. China is now a major buyer of Iranian and Russian oil as Beijing is seeking to leverage the Middle East region to propagate its Belt and Road initiative.
Russia
The Russian Federation is one of the most advanced global cyber powers that has increasingly generated attention due to the complex nature and far-reaching impact of cyber-attacks often aligned with its government’s intelligence apparatus. Hacker operations range from espionage and disinformation campaigns to direct cyber-attacks on Western critical infrastructure, with Moscow engaging in asymmetric activity below what it calculates to be the threshold of global military conflict.
Typical Russian cyber-attacks are destructive in nature, primarily aimed towards critical sectors within Ukraine and its NATO supporters. However, the Federation also demonstrates sophisticated espionage abilities as the state seeks to collect intelligence on foreign policy regarding support for Ukraine.
Russian state actors are also high-risk foreign influence threats because of the Federation’s wide-ranging efforts to divide Western alliances, undermine the global standing of Western states, and to sow discord amongst Western populations. The foundation of these cyber-attacks often includes a combination of disruptive and influence operations, reflecting the state’s “information confrontation doctrine”, a concept that the Russian Ministry of Defence describes as “the clash of national interests and ideas, where superiority is sought by targeting the adversary’s information infrastructure while protecting its own objects from similar influence.”
This has translated into the cyber domain with Russian hackers combining reconnaissance and disruptive efforts with follow-up psychological operations, a multi-stage protocol that often includes data theft from target systems and wiper payload deployment, followed by advertising the success of the attacks through social media avenues such as Telegram.
China
Chinese state actors routinely launch highly sophisticated operations to preserve the existence and legitimacy of the Chinese Communist Party (CCP), drive wedges between the US and its allies, and to assert global power. It is critical to understand China’s ongoing rivalry with the US to appreciate the nation’s impact within cyberspace, with Washington’s competitive measures against Beijing likely perceived as part of a broader effort to prevent China from achieving its agenda.
As China inches closer to its intelligence gathering objectives, we have detected that its state hackers have recently pivoted to a more destructive posture by launching attacks against US critical infrastructure. This is likely to pre-position attacks against Western assets as a precursor for any potential conflicts with Washington and to disrupt communications between the US and its allies within East Asia, including Taiwan and Japan. This has involved Chinese hackers gaining access to target systems with living-off-the-land and hands-on-keyboard techniques, allowing for stealthy and persistent access to target networks.
Territorial disputes within the South China Sea also have implications in cyber space. This longstanding conflict involves island and maritime claims that are hotly contested by nations in the region, with China claiming the “nine-dash line”, an area of ocean, islands, and reefs that Beijing asserts sovereignty over. This has been met by harsh criticism from Washington, resulting in greater international tensions. As a result, Chinese cyber actors have targeted the government and telecommunication sectors of US allied members of the Association of Southeast Asian Nations, the political and economic alliance of 10 states. These operations have focussed on US military drills conducted in the region.
Although China’s cyber posture is becoming increasingly destructive, espionage and intellectual property (IP) theft remain staples within the offensive profile of Beijing state actors for China’s ambitions to be met.
A case in point is the ‘Made in China 2025 initiative’, which is the state-led industrial policy that seeks to make the nation the dominant force in global high-tech manufacturing. The initiative carries the objective of leveraging government subsidies, mobilising state-owned enterprises, and acquiring the IP to surpass Western technology innovations, thus promoting Chinese high-tech companies in the global marketplace. Semiconductors are of particular emphasis with the 2025 plan setting specific targets of achieving 70% self-sufficiency for China in high-tech industries by 2049, to mark the hundredth anniversary of the People’s Republic of China (PRC). This has resulted in Taiwan becoming the primary focus of Chinese IP theft as Taipei currently produces 90% of the world’s most advanced semiconductors that power lucrative technologies, ranging from artificial intelligence (AI) platforms to defence industry solutions. This IP theft likely represents attempts by Beijing to undermine Taiwan’s ‘Silicon Shield’, a concept proposing that the global reliance on Taiwan’s advanced chipmakers keeps the island safe from a Chinese invasion.
In response to US-Taiwan diplomatic relations, we have assessed that the US will likely be caught in the crossfire of these IP theft efforts with the Taiwan Semiconductor Manufacturing Company (TSMC) set to build its silicon chips in three factories currently under construction in Arizona. This is a recent development following TSMC receiving a pledge of almost $12 billion in government subsidies as part of President Biden’s efforts to attract silicon chip production within Washington’s domestic borders, as part of the 2022 Chips and Science Act.
China’s Belt and Road program also presents unique cybersecurity challenges. This is a vast collection of development and investment projects designed to interconnect the Far East with Europe through physical infrastructure. It has recently expanded to include the Southern Hemisphere, allowing for China to extend its global influence whilst also enhancing its economic and military presence. To coincide with it, Beijing hackers routinely launch cyberespionage against partners of the initiative throughout Asia, Sub-Sahara Africa, Eastern Europe, and Latin America, with China likely seeking to leverage political relations to expand their foothold within these areas and to gauge repayment potential.
China also demonstrates a threat in the information space by leveraging social media and enhanced AI capabilities to influence the outcome of crucial elections and to undermine democratic integrity in favour of leaders that better suit Chinese interests.
Iran
Iranian cyber capabilities have recently become increasingly sophisticated, as Tehran has sought to support its Axis of Resistance proxy, Hamas, throughout the ongoing Israel-Gaza conflict. Iran has leveraged ‘hybrid warfare’, combining kinetic and cyber operations to extend the battlefield beyond traditional geographic lines to support its ‘Shadow War’ against Israel. This has led to the disruption of local operations, resulting in extensive chaos and collateral damage within the Middle East region as well as further afield.
Following the Hamas invasion of Israel on October 7th, Iran has shifted to be more proactive against Israeli assets as opposed to its reactive posture following the initial invasion. This has involved surging Iranian wiper malware, ransomware, and mobile spyware deployment against Israeli government, finance, technology, and defense sectors with the objectives of both sabotaging rival Critical National Infrastructure (CNI) and conducting intelligence gathering to bolster the state’s position within the ongoing conflict. Iranian state-aligned cyber actors have also launched phishing campaigns against national security think tanks, diplomats, former military personnel, non-governmental organizations (NGOs) and Middle Eastern affairs experts within the Western education sector to gather intelligence on key decision makers. The scope and sophistication level of these offensive cyber efforts have expanded to include targeting Arab regions that recognize Israel in addition to nations within the Democratic West.
Influence operations (IO) have also become a staple attack vector of Iranian hacker activities with Tehran demonstrating a significant investment in hack-and-leak operations involving a two-step process to compromise victims and subsequently release extracted data with the intention to influence a target set. These threat actors have engaged with exaggerated and misleading claims of compromising both Israeli and US-based CNI to create socio-political divisions within target sets perceived to be in opposition to the Iranian government and to diminish global backing of Israel by emphasizing the damage caused by Israeli counter disruption efforts against Palestinians within Gaza.
Psychological warfare has been a staple of state-aligned cyber-IO, involving the leverage of AI, as well as the delivery of SMS and email to exaggerate the claims of Tehran-aligned influence campaigns, with attempts to turn global public perception against Israel and to manipulate Israeli citizens to engage in on-the-ground activities.
Finally, following the ‘Transition Day’ of the Joint Comprehensive Plan of Action (JCPoA) on October 18th, 2023, certain restrictions on Iran’s nuclear and missile programs have been lifted. However, with Iran’s increasing non-compliance since 2019, the UN Security Council Resolution 2231 decided to maintain restrictions, denying nuclear weapons testing or ballistic missile activities. There is a realistic possibility that this will result in retaliatory Iranian cyber operations being aimed towards Western government, military, financial, and higher education industry verticals, as the UK, with the support of fellow E3 member states France and Germany, continues to apply restrictive measures against Tehran.
North Korea
Financially driven cyber-attacks are the core component of North Korean cyber activities with the Republic of North Korea being heavily sanctioned by the UN in response to its nuclear and military developments, as well as advances with its ballistic missiles program, all of which threaten the Democratic West.
Cryptocurrency heists spearhead these efforts, with the UN recently reporting that cryptocurrency theft sponsored by the Republic’s Reconnaissance General Bureau has generated approximately $3 billion since 2017. Further, North Korea is currently engaged in an ongoing cyber campaign that is seeking to incorporate a wide variety of measures to bypass US-enforced sanctions placed on cash mixing services to launder stolen cryptocurrency.
Pyongyang cyber forces are routinely exploiting zero-day security flaws in highly sophisticated attacks, targeting the government, financial, technology, and defense sectors, resulting in access to clients downstream. The most vulnerable components of the supply chain include software vendors, as well as managed service and cloud providers, that allow for the initiation of second-stage payloads, such as ransomware deployment.
North Korean cyberespionage against the West continues to be a priority for the Republic due to financially affluent target environments, the potential for IP theft and the perceived existential threat of Western states. This has been reflected by Pyongyang demonstrating the danger posed by its military through missile launches and rhetoric threatening nuclear retaliation in response to strengthening trilateral cooperation between the US, Japan, and South Korea, a partnership that was solidified during the Camp David summit in August 2023. These operations are routinely timed to counter US–South Korea exercises, possibly to force these countries to modify their military posture and to counteract the South Korean president’s hardline policies toward the North. In parallel, North Korean cyber activity has focussed on the aerospace and defense sectors via reconnaissance and spear-phishing techniques against states within this trilateral alliance to counter Pyongyang’s perceived national security adversaries. 
Craig Watt
Leave a Comment