Traditional wars still destroy the Earth and too many lives. However, the most strategic battles are carried out behind a keyboard. Welcome to the world of governmental espionage and disruption of foreign adversaries, a silent war that is no longer conducted on the battlefield but in the shadows of cyberspace.
What is Cyber-Warfare?
- Cyberwarfare refers to using digital attacks by one nation-state to disrupt the critical systems of another, aiming to cause damage, disruption, or espionage. Unlike traditional warfare, cyber warfare is characterized by its invisibility, asymmetry, and speed. It is waged not on physical battlefields but in cyberspace, targeting infrastructures such as power grids, communication networks, banking systems, and military operations.
While no universally accepted legal definition exists, cyberwarfare typically involves state-sponsored actions beyond cybercrime or hacktivism, often aiming for strategic national advantage or geopolitical destabilization.
Nation-States involved in cyberwarfare
Nation-state actors are offensive cyber units or intelligence agencies with advanced technical capabilities. They often operate through advanced persistent threats (APTs).
- An Advanced Persistent Threat (APT) is a sophisticated, prolonged, and targeted cyberattack in which an unauthorized actor, often a well-resourced group or nation-state, gains and maintains access to a specific network or organization's systems. The primary goal is typically to steal sensitive data, conduct espionage, disrupt operations, or achieve strategic objectives over an extended period, often months or even years, while remaining undetected.
Unlike other cyberattacks, ATPs are not indiscriminate. They meticulously select their targets based on the value of the information they hold or the strategic importance of the organization. Common targets include government agencies, defence contractors, financial institutions, critical infrastructure, and corporations with valuable intellectual property.
Some examples of known nation-state actors are listed below.
-
Groups: APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm
-
Targets: Ukraine, U.S. elections, European energy infrastructure
-
Tactics: Election interference, wiper malware (e.g., NotPetya), misinformation
-
Groups: APT10 (Stone Panda), APT41 (Double Dragon)
-
Targets: IP theft from corporations, espionage in critical sectors
-
Tactics: Supply chain attacks, stealthy exfiltration, zero-day exploitation
- Groups: APT33, APT34 (OilRig), APT35 (Charming Kitten)
- Targets: Middle East rivals, U.S. infrastructure
- Tactics: Wiper attacks (e.g., Shamoon), spear-phishing, social engineering
-
Groups: Lazarus Group, Kimsuky
-
Targets: Financial institutions, crypto platforms, defence entities
-
Tactics: Crypto theft (e.g., Ronin Bridge hack), ransomware for revenue, espionage
Proxy groups of hacktivists
Some state actors outsource operations to loosely affiliated groups, creating plausible deniability. Some of these groups are KillNet (pro-Russian), DragonOK (a Chinese-speaking group), and Anonymous (a global hacktivist collective). Their involvement varies from psychological warfare, DDoS attacks, defacement and leaks.
Key strategies in cyberwarfare
Espionage involves stealing sensitive political, military, or commercial information. This is done through long-term infiltration via Advanced Persistent Threats (APTs).
Sabotage involves disrupting or degrading infrastructure. Some notable examples are Stuxnet or the attacks on Ukrainian power grids.
These include social media disinformation campaigns, deepfakes, fake news, and bot amplification. The ultimate goal is to influence public opinion, create discord, and erode trust.
Economic disruption is carried out through ransomware (state-affiliated or tolerated), intellectual property theft, or disruption of global supply chains.
Hybrid warfare consists of cyberattacks paired with traditional military operations. Such attacks can be seen in Russia’s tactics in Ukraine with a mix of cyberattacks, tanks and propaganda.
The evolution of cyberwarfare
- Cyberwarfare is evolving from tactical to a strategic domain. It's now considered a domain of warfare on par with land, sea, air, and space. Traditional doctrines are evolving to include offensive cyber capabilities as preemptive tools.
- Civilian and military targets are blurring: cyberattacks increasingly target civilian infrastructure (healthcare, finance, energy). This aspect raises legal and ethical concerns under international law.
- Increased use of AI and automation: AI-driven malware, autonomous exploit detection, and real-time disinformation are now part of these strategies. These are used together with enhanced defensive tools (e.g., anomaly detection systems).
- Cyber mercenaries and privatized offensives are as well on the rise. Contractors and private firms are offering offensive cyber-services, like the NSO Group (Pegasus spyware).
- Zero-day exploits are stockpiled or traded rather than responsibly disclosed. Governments now regulate the vulnerability equity process.
Challenges and future of cyberwarfare
Cyberwarfare is evolving with technology. The current trends that are easily foreseeable can be summarized below:
-
Attribution Difficulty: It’s becoming increasingly more complex to definitively prove who is behind a cyberattack.
-
Cyber Norms: There’s a lack of universally accepted norms or treaties governing cyberwarfare.
-
Critical Infrastructure Risk: The increasing essential infrastructure digitization increases the attack surface.
-
Quantum Computing may disrupt encryption and defence paradigms.
-
Public-Private Coordination: While this type of specialized cooperation is essential, it’s also complicated by differing priorities and agendas.
Cyberwarfare case studies
State actors have carried out some of the most destructive cyberattacks in recent years. Typical case studies are Stuxnet, Colonial Pipeline, and SolarWinds.
However, many more cases of cyberwarfare with a high confidence level of attribution can be mentioned: the war between Russia and Ukraine provides plenty of examples with NotPetya and BlackEnergy (Industroyer). Russia is also on top of the list of suspects for the U.S. Election Interference in 2016. China is believed to be at the origin of Operation Cloud-Hopper, which targeted global MSPs, the Anthem Breach, and the Microsoft Exchange Exploits (through the Hafnium Group). The United States have targeted Iran with Stuxnet and Nitro Zeus at the Olympic Games. Iran has been targeting back the U.S. and other Middle Eastern countries with Shamoon and carrying out ongoing spear-phishing and espionage activities through their Charming Kitten group (APT35). Finally, North Korea is behind the Sony Pictures hack, the WannaCry ransomware attack, and crypto heists.
A picture emerges in which companies worldwide in a strategic position are no longer exploited by random cybercriminals but are attacked by state actors with much higher means and military-grade attacks.