War against Ukraine did not decrease threats in Lithuanian cyber space
The most active cyber groups that act against Lithuania are connected with Russia and China. Their priority remains continuous long-term collection of information related to Lithuanian internal and foreign affairs. Cyber groups seek to access government institutions’ and organisations’ IT systems; they gather both target information and technical data about the systems’ architecture and vulnerabilities. They also try to create mechanisms that allow long-term access to the systems. A temporary decrease in cyber group hostile activities caused by Russia’s actions in Ukraine is unlikely to have a major effect on their long-lasting malicious operations in the medium term.
Russian cyber groups, coordinated by intelligence agencies, use the tools usually attributed to cyber criminals and also cooperate with non-state hackers. Attacks by cyber criminals are increasing in number and scope. It is likely that some of the attacks attributed to cyber criminals in fact are instigated by adversarial countries.
This collaboration is based on mutual benefits – state actors exploit this opportunity to mask their involvement in malicious activities, whereas criminal groups receive financial and technological support, acquire experience, and immunity from prosecution.
The war in Ukraine has demonstrated that criminal hacker groups, such as Killnet, Killnet, Xaknet Team, or no name are ready to get involved in the conflict on the Russian side. In recent years, cyber criminals and cyber activists have supported Russia by trying to disrupt information processes and sowing turmoil in society.
In 2022, these groups periodically conducted DDoS attacks against government and private sectors in Ukraine, the Baltic states, Poland, and other supporters of Ukraine. In summer, they carried out attacks against a wide spectrum of targets in Lithuania – critical infrastructure, government institutions, logistics sector, and other organisations. The attacks did not cause any direct and lasting damage, but cyber activists highly likely will continue to target countries that provide support to Ukraine or are not favourable to Russia.
While cyber espionage remains the main line of operation of state actors, destructive attacks have been increasingly prevalent. The purpose of these attacks is not only to disrupt the targeted system activities and critical processes but also to destroy the data stored and managed within them. The main targets of attacks are usually IT networks of governmental organisations and critical infrastructure.
While in recent years attackers have mainly targeted Ukraine, they have also acted against NATO countries. In July 2022, hackers publicly attributed to Iran managed to get access to data managed by the Albanian government institutions. They compromised the information systems with malware capable of irreversibly corrupting the data. As a result, websites of Albanian electronic services and institutions were partly disrupted. It is highly likely that in the future, the threat to organisations’ information systems of NATO, EU, and other states will grow, especially due to increased geopolitical tensions.
In 2022, Ghostwriter, a cyber-enabled influence campaign, significantly decreased its activity against NATO states. Whereas in 2021, at least 11 cyber-enabled information operations were launched against Lithuania, in 2022, there was only one. Contrary to previous attacks, this attack did not aim to spread disinformation about Lithuania’s internal and foreign affairs. The purpose of the attack was to get access to social media and e-mail accounts. It is highly likely that perpetrators were trying not only to get to the information held within these accounts but also to use the compromised accounts for spreading disinformation in the future.
It is likely that the decrease in cyber-enabled information operations in Lithuania is temporary and related to redirected effort towards Ukraine, which has been a target of numerous Ghostwriter attacks in recent years. Nonetheless, attempts to gather Lithuanian citizens’ data indicate likely plans to target Lithuania in the future attacks.