Europe

One of the greatest geocyber risks that Europe faces is destabilisation. The purpose of Europe as a combined entity is to be unified in order to ensure a shared development and a place on the international stage. This can lead to attempts to weaken it from abroad. One striking example is Brexit, which has marked a profound geopolitical reconfiguration in Europe. This shift has been exploited by threat actors to weaken political entities such as the European Union and the United Kingdom itself.

_BREXIT EXPLOITED AS A WAY TO TARGET GOVERNMENT AGENCIES IN THE UK AND WESTERN EUROPE

In 2018, the ATK5 (APT28, Sofacy) group, known for its involvement on the 2016 U.S presidential election campaign and its allegedly close ties to Russian intelligence, conducted a phishing scheme targeting Western Europe and the United Kingdom in particular. Fake Brexit-related document containing the Zebrocy malware were sent to multiple specific targets, enabling ATK5 to break into the computer networks of European government agencies. Most importantly, this attack displays the ability of attacker groups to leverage sensitive political issues and turn them into potential attack vectors. Zebrocy acted as a first-stage backdoor and was used to perform system reconnaissance, create or modify files, execute commands, take screenshots and create Windows scheduled tasks.

_PLAYING ON THE WEST’S FEARS: THE EXAMPLE OF THE ATTACK ON TV5MONDE

Some attacks also take advantage of internal crisis in certain countries to destabilise public opinion. On 8 April 2015, a hacker group took control of the TV5Monde website and its social media accounts and caused television programmes to be interrupted for several hours. We now know that this attack was carried out by ATK5 (APT28), although it has not been directly attributed to the group. A hacker group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility. To shed light on the attack and identify the real perpetrators, TV5Monde called in technical experts from ANSSI, France’s national agency for information system security, who restored service and conducted a forensic investigation to search for clues. As their investigation progressed, suspicions began to point to ATK5 (APT28). The evidence gathered by the experts looked similar to a modus operandi already used by the group. As reflected in this attack, it should be noted that groups such as ATK5 (APT28) use visceral issues of contention between or within European countries to destabilise and weaken them3. Interestingly enough, the main destabilising agent is not the attacks itself but rather its erroneous attribution to a entity close to ISIS, creating an alliance of circumstance between an ideological opponent wishing to undermine European influence and a civilizational adversary who uses the claim to instil fear within the population.

Europe has many large corporations and SMEs (Small to medium-sized enterprises) that are interdependent at continental level. They are also part of the global economy. This European financial, industrial and innovation ecosystem inevitably attracts the attention of large cybercriminal groups as well as actors motivated by industrial espionage.

_THE ERA OF CYBER-EXTORTION AND THE RISK OF GLOBAL SUPPLY CHAIN ATTACKS

On 30 January 2020, French contractor Bouygues Construction was the victim of an attack claimed by the group of attackers behind the Maze ransomware4 . The operators demanded a ransom of €10 million from the French group in exchange for a decryption key and the guarantee that its sensitive data would not be leaked. On 21 October 2020, Sopra Steria announced that it had fallen victim to the Ryuk ransomware5. A month later, in November 2020, Italy-based international energy group Enel announced that it had become the victim of the Netwalker ransomware and that its operators were demanding a payment of some €14 million6. Most European companies are closely integrated into the market economy and are therefore especially vulnerable to supply chain attacks. During the REvil ransomware attack on IT management software company Kaseya in July 2021, over 1,000 other organizations were impacted, mostly in Europe7 . Swedish supermarket franchise Coop had to close 800 stores because they were unable to use their cash registers8. This supply chain attack culminated in a record ransom demand of $70 million in return for a universal decryption key.

_AIRBUS VICTIM OF INDUSTRIAL ESPIONAGE AND THE RISK OF GLOBAL ATTACKS VIA THE SUPPLY CHAIN

Supply chain attacks on European industrial or financial groups are not only motivated by financial gain but also by technological catch-up. As a result, industrial espionage against major European corporations is now a significant threat. In 2019, Airbus was hit by a supply chain attack designed to steal information about the A350 airliner and the A400M military transport plane9 . The attack was initially attributed to the Chinese hacker group ATK41 (APT10), then to the ATK146 group (Avivore)10. It should be noted that it is difficult to determine the exact origin of this attack, mainly because Chinese espionage groups tend to share their infrastructure and attack tools. This sophisticated attack demonstrated the strategic adaptability of certain groups and the advanced threat posed by supply chain attacks. For the attackers, the impossibility of a frontal attack on the Airbus group was circumvented by compromising suppliers of the aircraft manufacturer such as Rolls-Royce or Expleo, laying the ground for actors with basic capabilities to attack high value targets.

Europe, as we explained earlier, is a geopolitical space with a diverse array of identities, territories, political orientations and societies, which can lead to conflicts.

_AREAS OF INSTABILITY

UKRAINE

On the edge of Europe, in Ukraine, an armed conflict between Ukrainian government forces and Russian separatist militias has been ongoing since 2014. It is the result of the annexation of Crimea by Russia, which provoked an open war in eastern Ukraine. In 2014 and 2015, Germany, France, Ukraine and Russia ratified two different versions of the Minsk agreements to settle the conflict and end the fighting in the industrialized regions of Donetsk and Luhansk. These agreements were never implemented and the conflict was prolonged, taking the form of a trench war along the front line. The conflict has escalated in December 2021 with Russia moving troops near the border, making western governments fear a military attack of Ukraine.

_CYBERATTACKS AGAINST UKRAINE AMID TENSIONS WITH RUSSIA

The ongoing armed conflict between the Ukrainian military and pro-Russian troops has sparked an intense cyber activity in the region, targeting especially the Ukrainian territory.

The ATK14 hacker group (BlackEnergy) has long been known for targeting companies in Europe’s energy sector. Starting in early 2015, the group infiltrated a large number of Ukrainian electricity distribution companies in order to install the BlackEnergy malware and access their OT/SCADA infrastructure. On 23 December 2015, hackers successfully compromised the SCADA systems of three Ukrainian energy companies and shut down their substations. They used the KillDisk plugin to destroy files on workstations. The group also launched a more conventional DDoS attack on the call centres of the three companies to make them unavailable to customers. The attack left about 230,000 people without power for nearly six hours in the Ivano-Frankivsk, Chernivtsi and Kiev oblasts (regions). This attack is one of the first cases of cyber sabotage directed at a power grid and demonstrates the determination and skill of the attackers. It is still not known whether the malware caused the power outage, or simply allowed its operators to do it manually.

On June 2017, a major cyberattack hit Ukrainian companies. The malware used is a new version of Petya, a family of ransomware uncovered in 2016, which had been infecting Windows-based systems. This attack dubbed NotPetya, initially targeting Ukrainian infrastructures spread globally and is still considered as one of the most destructive cyberattack ever achieved. The attackers leveraged the EternalBlue vulnerability and used unpatched computers to propagate across entire networks. The UK government, through its National Cyber Security Centre asserted with a high degree of confidence that the Russian military had carried out the NotPetya cyberattack, whose objective was to disrupt energy companies and government institutions in Ukraine13. The estimated cost for the global economy reaches 10 billion dollars.

On the night of January 13-14, 2022, a cyberattack named “Operation Bleeding Bear” affected several Ukrainian government sites, rendering the computer structure of state-owned sites temporarily inoperable. This low-complexity attack consisted of the defacement of the targeted sites with the replacement of the homepage with a propaganda message in Ukrainian. It seems that the attacker exploited a known vulnerability in a content management system (CMS). Besides, a dozen of systems (Windows and Linux) were also destroyed by a wiper malware. This attack comes in a context of escalating tensions due to the failure of negotiations and the massive presence of pro-Russian forces stationed at the border. If Ukraine points the finger at the group of hackers known as UNC1151, affiliated with the Belarusian secret service, the low level of technicality of the attacker opens up a wide range of possibilities in terms of its origin, from individual hackers to state-sponsored groups. This attack is indicative of the use of non-traditional fields including cyber in the pursuit of political objectives. In this case, the destabilization of the Ukrainian government as well as the loss of confidence of the Ukrainian population towards its institutions seem to be the objectives pursued.

WESTERN BALKANS

The Western Balkan is a region composed of several eastern European countries, namely Bosnia-Herzegovina, Croatia, Kosovo, Northern Macedonia, Montenegro, Serbia and Slovenia. In this region, where ethnic and religious tensions still exist between Kosovo and Serbia, and within Bosnia-Herzegovina itself, the European Union is trying to bring political stability through agreements pending eventual integration14. The issue remains complex because Russia also exerts an influence in the region, which can exacerbate geopolitical destabilisation and lead to cyberattacks.

BALTIC STATES

The Baltic states are a region where the homogenisation four dimensions — identity, society, politics and territory — is proving difficult. These countries, which declared independence in 1990 after the collapse of the Soviet Union, quickly sought to distance themselves from Russia’s sphere of influence by refusing to be integrated into the Commonwealth of Independent States (CIS) and instead joining the EU and NATO in 2004. Since the 2016 Warsaw Summit., they have benefited from NATO airspace and on the ground protection. While the region may seem well protected, it remains surrounded by Russian influence to the east and south (Kaliningrad enclave and Russian forces in Belarus) and lies in part alongside Russia’s access route to the Baltic Sea. It should also be noted that there are significant Russian minorities in these countries (26.5% in Estonia, 26% in Latvia and 5.8% in Lithuania).

_MASSIVE CYBERATTACKS IN ESTONIA

In addition to these attacks, which are exceptional in terms of their consequences, European countries are regularly under threat from strategic espionage campaigns by foreign groups.

CONTINUOUS ESPIONAGE

In November 2019, ANSSI, France’s national agency for information system security, reported cyberattacks against service providers and design offices. The hackers used the PlugX malware to infiltrate their systems, steal data and, almost certainly, access the networks of their clients. In July 2021, it was discovered that the Pegasus spyware was being used on a massive scale — a reminder of the strategic nature of certain ypes of cyberattacks. More recently, in September 2021, the German authorities announced that German politicians had been spied on in the run-up to the federal elections by the Ghostwriter gang, an APT group known for its alleged close ties with Russian military service GRU. This is not the first time Germany has been at the center of an espionage-motivated attack campaign, as between 2017 and 2018 its government agencies were reportedly targeted by ATK56 (APT28), another group linked to Russia. During this incident, the hackers managed to gain access to the network of several German ministries (foreign affairs, defence) as well as the German’s Chancellery and the Federal Court of Auditors. German interests are also closely scrutinized by other countries, most notably Iran and China. The activity of Iranian attack groups on German targets has intensified recently with the rise of tensions in the Gulf and the maintenance of financial sanctions. A report by the Dutch intelligence services even pointed to the Iranian strategy of using cyber espionage as a tool in the quest to acquire European military technology. This strategy even extends to the political domain with the surveillance of its expatriate population in the Netherlands and the monitoring of the criticism addressed to the Iranian regime.

​

As we have seen, Europe is a complex geopolitical space where multiple spheres of power and various models are at play, chief among them the European Union, NATO and Russia. These models sometimes clash, leading to crises that are conducive to the emergence of cyberthreats — as in Ukraine, the Baltic countries and the Western Balkans. Europe is the product of permanent oscillation between unity and plurality of identities, with political aspirations that can provoke societal, economic, political and territorial crises, and that can be utilised as levers of destabilisation by cyberattacker groups. Europe is also highly integrated into the globalisation process, with industrial and financial champions, but also thanks to a myriad of SMEs, which are permanent targets of organised cybercrime and even industrial espionnage