CYBER WARFARE, EXPLAINED
A new domain of global conflict
October 27, 2024
Cyber warfare has become a new strategic domain in international politics, alongside more traditional military, diplomatic, and economic activities.
Increasingly, it is seen as part of hybrid warfare – the use of non-military tools to indirectly damage geopolitical opponents.
Cyber operation of states often have one of three major goals:
Spying activities targeting governments for political, military and economic information, corporations for trade secrets and intellectual property, and high-profile individuals for sensitive data. Example: The US ran a surveillance program on tens of millions of individuals, including 35 world leaders, such as the German Chancellor and the French President, as revealed by security contractor Edward Snowden in 2013.
Disinformation campaigns to influence the citizens' opinions and sway election outcomes. Example: in 2016, Russia ran a sophisticated disinformation and interference campaign targeting millions of American voters during the presidential election.
Attacks on infrastructure aiming to disrupt or damage systems supporting energy, transportation, water, healthcare and communications. Example: In 2005-2010 Israel targeted Iran’s nuclear facilities with a virus called Stuxnet.
Tools for conducting cyber attacks include:
Zero-day – a mistake in the code of a program unknown to the developer, that can be used to get around the security system. A zero-day can be fixed with an update when the developer finds it.
Phishing – a fake email or message pretending to be someone (like Google Support) to steal passwords and data by making someone click on a compromised link.
DDoS-attack (Distributed Denial-of-Service attack) – slowing or breaking a server by overwhelming it with a large number of spam messages.
Malware – software designed to disrupt a computer system or steal information.
Advanced Persistent Threat (APT) – hackers and groups that conduct long-term operations with a certain goal or have long-term undetected access to some computer network.
Ransomware – malware that blocks a computer system until a fee is paid to the hacker.
Supply Chain attacks – targeting a software company to then compromise a system of somebody using their software.
Social Engineering attacks – using emotional manipulation and personal relationships to create openings in cybersecurity.
Many countries redefined their national security priorities by establishing cybersecurity plans and agencies, as well as developing offensive cyber capabilities.
There is no international agreement on conducting cyber operations, determining responsibility for attacks or establishing appropriate responses.
This led to many states using large volumes of cyber attacks and operations to advance their goals.
From 2000 to 2023, China was behind 21.6% of attributed cyber attacks globally, followed by Russia (21.0%), Iran (9.6%), North Korea (8.5%), Ukraine (4.7%), and the United States (4.2%).
There are reports of four-way cyber cooperation between China, Iran, North Korea and Russia that involve sharing intelligence information and malware.
In 2021, Russia and Iran signed an agreement to develop cyber defence capabilities and to share intelligence information regarding US cyber activities.
Russia utilised malware developed by the Chinese government-linked group Scarab against Ukraine in March 2022, according to a US-based cybersecurity company.
In 2017, the United States and Israel solidified their cyber alliance with the US-Israel Cybersecurity Cooperation Enhancement Act, providing $30 million in yearly funding for cybersecurity research and development projects.
China
China was first connected to the global Internet in 1994. It began developing cyber capabilities in the 2000s.
China exceeded 1 billion Internet users in 2021.
In 2014, President Xi Jinping publicly called for the need to build China into a “cyber power”. A central commission on economic, political, cultural and military aspects of cyber affairs was formed.
In 2023, China created a national bureau to centralise, organise and manage all the country’s vast data resources.
China publicly denies any involvement in cyber attacks and emphasises its adherence to international norms on cyber warfare.
China's cyber strategy:
Strong domestic companies: the likes of Tencent, Alibaba and Huawei supply much of global digital infrastructure, spreading China’s influence. For instance, at least 38 out of 54 African countries depend on Chinese firms for the development of fibre optic networks and data centres.
Military-civil fusion: major companies are directly tied to the Chinese Communist Party through strict regulations and informal pressure. Citizens and enterprises are legally required to “maintain national security,” which includes domestic firms collaborating with the armed forces to achieve technological advancements.
Control of domestic information and internet access: the "Great Firewall of China," a combination of laws and technologies to restrict people's access to the web.
State-sponsored hacking groups: such as ATP31, Volt Typhoon and Mustang Panda.
Key documents: 2016 National Cyberspace Security Strategy, military white papers, Made in China 2025.
China is primarily engaged in espionage targeting technology firms worldwide.
Operations like Cloud Hopper (2014-2017) and CuckooBees (2019-2022) aimed to steal intellectual property, research and development documents, and technological blueprints from companies in the US, Europe and East Asia.
The United States
The United States focused on improving cyber capabilities after the 9/11 terror attacks of 2001.
The US established the Department of Homeland Security (DHS), initially tasked with:
Releasing the first cybersecurity strategy by 2003
Improving information sharing between the federal government and private companies
Shaping cybersecurity laws
US Cyber Command was established in 2009 to coordinate all operations in the cyberspace with a focus on cybersecurity. Over time it developed more offensive capabilities.
In 2018, US Cyber Command was promoted to a combatant command, alongside Space, Special Operations, Transport, Strategy and 6 Geographical Commands.
US cyber strategy focuses on:
Disrupting threat actors: US Cyber Command formed hundreds of task forces to attack or counteract specific threats, especially during major elections.
Defending critical infrastructure
Investing in private cybersecurity sector: US has a sophisticated system of federal, state and local level grants and financial support for private cybersecurity companies and researchers.
Investing in secure infrastructures: US also provides financial support for companies to build cyber-safe infrastructure.
Cooperating with international partners: to benefit from sharing information and know-how with allies globally.
“Digital solidarity”: helping international partners secure their cyber ecosystems and expand response capabilities, boosting joint cyber defense.
Key documents: the Office of the Director of National Intelligence's Annual Threat Assessment, the 2023 Department of Defense Cyber Strategy, and the 2023 National Cybersecurity Strategy.
The US relies on private companies such as Microsoft and Amazon Web Services, which own and manage significant portions of the country's cyber infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA), a part of the DHS, plays a key role in this partnership with the private sector by sharing threat intelligence and coordinating responses to cyber threats.
The United States has conducted cyber operations against Russia, China, and Iran over the past decade, especially defensive cyber operations during 2016 and 2020 presidential elections, as well as the 2018 midterm elections.
In 2022, social media platforms took down a network of accounts promoting US propaganda in Arabic, Farsi and Russian. targeting Central Asian and Middle Eastern countries.
In addition, in 2016, Operation Glowing Symphony was conducted against ISIS to disrupt its global media and propaganda efforts, as well as to weaken its financial and recruitment processes.
Israel and Iran
The cyber domain is a critical battleground for the ongoing conflict between Iran and Israel, alongside military weaponry, diplomatic pressure, and economic measures.
The Stuxnet virus, developed by Israel and the United States and deployed against Iran's Natanz nuclear facility between 2005 and 2010, is considered one of the starting points of the cyber conflict between Israel and Iran.
Iran's main goals include:
Stealing sensitive information from Israeli companies and government entities
Disrupting critical infrastructures like ports and transportation networks
Leverage advanced persistent threats (APTs) to infiltrate Israeli network systems
Israel's main goals include:
Disrupting Iran's military communication networks and missile systems
Damaging Iran’s oil and nuclear facilities
Neutralising pro-Iranian APTs
Iran heavily relies on state-backed APT groups such as APT34, APT42, and CyberAv3ngers to conduct its attacks.
On the other hand, Israel manages its cyber activities through Unit 8200, an intelligence team in the Israeli Defense Forces (IDF) tasked with cyber and intelligence operations.
Israel's cyber capabilities are largely speculative, and the Israeli government has consistently denied engaging in cyber activities against Iran.
In 2020 an Israeli attack against a major Iranian port damaged the country's maritime trade and caused substantial economic loss.
Iran was responsible for 80% of state-sponsored phishing attacks against Israel in the six months leading up to October 7, 2023, according to a report from Google's Threat Analysis Group.
In December 2023, Iran accused Israel-backed group Predatory Sparrow of an attack that disrupted about 70% of Iran’s gas stations.
North Korea and South Korea
North Korean cyber attacks against South Korea intensified during the 2010s, notably with the 2013 Operation Troy, which targeted banks and media outlets, and the 2014 attacks against hydro and nuclear power plants.
In 2023, South Korea experienced 1.6 million daily hacker attacks, with North Korea allegedly responsible for 80% of them.
North Korea uses state-sponsored hacking groups such as the Lazarus Group, which operates under the direct command of the country's military intelligence agency.
In 2024, South Korea unveiled its National Cybersecurity Strategy to address these threats, shifting from a defensive stance to an offensive approach. The document also emphasised
adopting advanced technologies
enhancing infrastructure resilience
promoting international cooperation
Most of North Korea's cyber operations focus on either (1) gathering intelligence or (2) stealing money from private firms and financial institutions worldwide.
In 2023, the country stole between $600-700 million in cryptocurrencies alone. Between 2017 and 2023, North Korea allegedly collected $3 billion with this type of cyber attacks.
India and Pakistan
The cyber domain has become crucial in the longstanding rivalry between India and Pakistan, particularly after the two exchanged cyber attacks in 2010.
India has strengthened its cyber capabilities in cooperation with domestic firms like Tata Consultancy Services, Wipro and Infosys.
Pakistan's cyber capabilities are believed to lag behind India's, with lower public spending and fewer companies operating in the field.
Pakistan has tried to narrow the gap with its 2021 Cybersecurity Policy, which introduced a comprehensive cyber plan focused on developing defensive capabilities.
India and Pakistan regularly target each other’s government websites, critical infrastructure and military networks with cyber attacks.
India has close ties with Israel through a cybersecurity cooperation agreement in 2018 and with the United States through the 2016 US-India Framework for Cybersecurity Cooperation.
India allegedly used the Pegasus spyware, developed by an Israeli company, to conduct surveillance on high-level Pakistani officials.
In turn, Pakistan collaborates with China in the cyber domain under the China-Pakistan Economic Corridor, a regional connectivity framework led by Beijing. The extent of this cooperation remains unclear.
Russia
Russia's evolution into a cyber power began in the late 1990s and early 2000s as it sought asymmetric strategies to counterbalance Western military dominance.
Russia has introduced the concept of "information confrontation” in its military strategy. Information confrontation is a conflict of national interests and ideas.
This means Russia sees cyber warfare as part of a broad global conflict in the information space, where all sides aim to damage their adversaries’ digital infrastructure while defending their own.
Strategically, Russia perceives itself as surrounded by hostile countries, especially NATO members, and considers cyber operations as a tool for achieving territorial security and political stability.
Russia’s cyber strategy focuses on:
Preserving values: to “apply information technologies for the preservation of cultural, historical, spiritual and moral values” of the Russian people.
Defending key infrastructure: supporting smooth operation of digital telecommunications network.
Developing domestic tech: supporting the research on and production of electronics, information technologies and cybersecurity infrastructure.
Spreading political information: providing global community with “accurate” information on the government’s policies and official stance on “significant events”.
National security: protecting the independence of Russia in the information space and the sphere of culture, promoting approved narratives and supporting political stability.
Key documents:2016 Doctrine of Information Security, 2021 National Security Strategy and the 2023 Foreign Policy concept.
Russia supports independent hacker groups to carry out cyber attacks, making it easier to deny its direct involvement. Some groups operate under the direction of Russian military intelligence services.
Russia has a complex and well-funded system of information operations globally, advancing the country’s political interests.
This includes state-sponsored media like Russia Today (RT) and Sputnik, which are tasked with advancing Russian values and narratives globally, funded by the Russian federal budget.
Since 2013, Russia has targeted the Ukrainian government, infrastructure and civil services with cyber attacks.
During the 2014 Crimea invasion, Russia carried out DDoS attacks to damage the Ukrainian government and media, as well as to disrupt connectivity between Crimea and mainland Ukraine.
In 2015 and 2017, Russia targeted Ukrainian power grids, disrupting the electricity supply, and launched the NotPetya ransomware, leading to an estimated $10 billion in economic losses globally as the virus spread worldwide.
Months before the 2022 invasion, Russia launched cyber attacks on Ukrainian government websites and financial institutions. Then, just an hour before Russian forces crossed into Ukraine, Moscow targeted Viasat's KA-SAT, a satellite used by Ukraine for commanding troops and providing internet access.
Russia continues to target Ukraine's national government, military, energy, and media sectors in the cyberspace.
Russian recent cyber attacks were of limited scale and effect. It is unclear whether the reason is Russia's limited offensive power or Ukraine's strong defensive capability.
Since the beginning of the war, Ukraine conducted 58 attributed cyber attacks against Russia, while Russia conducted 43 such attacks against Ukraine.
Ukraine has revised its cyber strategy, moving from a purely defensive posture to developing offensive capabilities aimed at targeting the Russian state and private companies.
The impact of new technologies, such as Quantum Computing and Artificial Intelligence, will require countries to revise their cyber strategies due to the emergence of new threats.
Quantum computing may render current cryptographic defences obsolete.
AI will provide new tools for hackers, such as:
Deepfakes and artificial videos, facilitating realistic disinformation and identity theft
AI-created targeted disinformation campaigns exploiting social media algorithms
AI-coded malware, viruses and other damaging software created by or with assistance from AI tools.
The influence of cyber tools on warfare: Cyber operations are expected to continue playing a supportive rather than a decisive role in conflicts. Military leaders still prefer the certainty of on-field attacks and strikes to the more uncertain outcomes of cyber operations.
The role of individuals: The rise of hacktivists, or groups using hacker techniques to advance a political agenda, demonstrates how non-state or even individual actors can influence geopolitics. Additionally, hacktivists often collaborate with state-sponsored hacking groups, further blurring the direct involvement of countries in cyber warfare.
The targets of cyber attacks: Critical infrastructures like power grids, healthcare systems, and transportation networks will continue to be the main targets, undermining countries' national security and public safety. These risks increase as the infrastructures become part of the Internet of Things – a global network of hardware connected to each other through the internet.
Author Elia Preto Martini
Editor Anton Kutuzov
You can help us secure our long-term future!
Please consider sending us a regular donation.
Find out more:
Some resources and further reading:
Conflict in the Cyber Age (Foreign Policy)
Digital Defense Report 2023 (Microsoft)
Global Cybersecurity Outlook (World Economic Forum)
Cyber Operations During the Russo-Ukrainian War (CSIS)
Conflict in the 21st Century: Rise of Hybrid Warfare (F. Hoffman, PIPS)