Cyberconflict and warfare

FBI says North Korea behind $1.5bn crypto heist

North Korean hackers have recorded the largest cryptocurrency theft, stealing approximately $1.5bn from the Dubai-based exchange ByBit. According to the FBI, the stolen funds have already been converted into Bitcoin and spread across thousands of blockchain addresses. The attack highlights North Korea’s growing expertise in cybercrime, with proceeds believed to be funding its nuclear weapons programme.

The notorious Lazarus Group, linked to the regime, has been responsible for several high-profile hacks, including the theft of over $1.3bn in cryptocurrency last year. Experts say the group employs advanced malware and social engineering tactics to breach exchanges and launder stolen assets into fiat currency. These funds are critical for bypassing international sanctions and financing North Korea’s military ambitions.

Beyond cybercrime, Pyongyang has deepened its ties with Russia, allegedly supplying troops and weapons in exchange for financial backing and technological expertise. Meanwhile, the regime has recently reopened its borders to a limited number of international tourists, aiming to generate much-needed foreign income. As global scrutiny intensifies, concerns are growing over North Korea’s increasing reliance on illicit activities to prop up its economy and expand its military power.

For more information on these topics, visit diplomacy.edu

EU Commission proposes enhanced cyber crisis management framework

The EU Commission introduced a proposal aimed at strengthening the EU’s response to large-scale cyber attacks. This recommendation to the Council of Ministers seeks to update the existing EU framework for crisis management in cybersecurity and outline the roles of relevant EU actors, including civilian and military entities as well as NATO.

Specifically, the proposal aims to establish coordination points with NATO to facilitate information sharing during cyber crises, including interconnections between systems. If Member States deploy defense initiatives during a cybersecurity incident, they must inform EU-CyCLONe and the EU Cyber Commanders Conference.

The High Representative, in collaboration with the Commission and relevant entities, should facilitate information flow with strategic partners during identified incidents and enhance coordination against malicious cyber activities using the cyber diplomacy toolbox. Joint exercises should be organized to test cooperation between civilian and military components during significant incidents, including those affecting NATO allies and candidate countries.

The Commission noted that a significant cybersecurity incident could overwhelm the response capabilities of individual Member States and impact multiple EU countries, potentially leading to a crisis that disrupts the internal market and poses risks to public safety. It encourages the establishment of voluntary collaborative clusters to foster cooperation and trust in cybersecurity. Member States can create these clusters based on existing information-sharing frameworks, focusing on common threats while adhering to the mandates of participating actors.

The document emphasizes the importance of a comprehensive and integrated approach to crisis management across all sectors and levels of government. It highlights that if cybersecurity incidents are part of a broader hybrid campaign, stakeholders should collaborate to develop a unified situational awareness across sectors.

Within twelve months of adopting the cybersecurity blueprint, Member States must develop a unified taxonomy for cyber crisis management and establish guidelines for the secure handling of cybersecurity information. The proposal emphasises avoiding over-classification to promote the sharing of non-classified information through established cooperation platforms.

To enhance preparedness for crises and improve organizational efficiency, Member States and relevant entities should conduct ongoing cyber exercises based on scenarios derived from EU-coordinated risk assessments, aligning with existing crisis response mechanisms. Smaller exercises should test interactions during escalating incidents, while the Commission, EEAS, and ENISA will organize an exercise within eighteen months to evaluate the cybersecurity blueprint, involving all relevant stakeholders, including the private sector.

The proposal also recommends that Member States and critical infrastructure operators integrate at least one Union-based DNS infrastructure, such as DNS4EU, to ensure reliable services during crises. ENISA and EU-CyCLONe are tasked with creating emergency failover guidelines for transitioning to Union-based DNS in case of service failures.

While the cybersecurity blueprint does not interfere with how entities define their internal procedures, each entity should clearly define the interfaces used for working with other entities. These interfaces should be jointly agreed upon between the entities concerned and documented.

National and cross-border cyber hubs should share threat information to bolster protection against Union-specific threats, and Member States are encouraged to engage in a multistakeholder forum to identify best practices and standards for securing critical Internet infrastructure. Public and private entities should implement threat-informed detection strategies to proactively identify potential disruptions. They must share information about covert operations with partners before crises escalate and report potential cyber crises to relevant networks, while the CSIRTs Network and EU-CyCLONe establish procedures for coordinating responses to large-scale incidents.

For more information on these topics, visit diplomacy.edu.

China and North Korea-linked accounts shut down by OpenAI

OpenAI has removed accounts linked to users in China and North Korea over concerns they were using ChatGPT for malicious activities.

The company cited cases of AI-generated content being used for surveillance, influence campaigns, and fraudulent schemes. AI tools were employed to detect the operations.

Some accounts produced news articles in Spanish that criticised the US and were later published under a Chinese company’s byline. Others, potentially connected to North Korea, created fake resumes and online profiles in an attempt to secure jobs at Western firms.

A separate operation, believed to be tied to financial fraud in Cambodia, used ChatGPT to generate and translate comments on social media.

The US government has raised concerns over China’s use of AI to spread misinformation and suppress its population. Security risks associated with AI-driven disinformation and fraudulent activities have led to increased scrutiny of how such tools are being used globally.

OpenAI’s ChatGPT remains the most widely used AI chatbot, with over 400 million weekly active users. The company is also in discussions to secure up to $40 billion in funding, which could set a record for a private firm.

For more information on these topics, visit diplomacy.edu.

Estonia leads the charge in defence tech investment

Estonia, a small Baltic nation with a population of 1.4 million, has emerged as a leader in the rush to fund defence projects in response to Russia’s 2022 invasion of Ukraine. With heightened security concerns in the region, particularly among the Baltic states that share a border with Russia, Estonia has leveraged its thriving tech sector to fuel investment in defence technologies. The war has created an urgent need for innovation, prompting tech entrepreneurs such as Sten Tamkivi, a former Skype executive, to direct investment towards defence, European sovereignty, and security solutions.

Estonia’s role in supporting emerging defence companies is made possible by the country’s strong network of tech unicorns and wealthy entrepreneurs. With companies like Skype, TransferWise, and Bolt originating from Estonia, local tech executives have the financial resources to invest in critical military technologies. Moreover, Estonia’s proximity to Ukraine allows for rapid collaboration on the frontlines, testing new technologies such as AI-driven defence tools and drones. This has positioned the country as a central player in Europe’s defence tech landscape, with the number of defence-focused funding rounds in Eastern Europe growing sharply since the war began.

Across Central and Eastern Europe, the growing interest in defence tech is evident, with funds like Presto Ventures in Prague also tapping into the sector. The Czech Republic has launched initiatives to support small enterprises in defence, while Estonia has introduced a 100 million euro fund to support the development of its own defence tech ecosystem. Estonia’s longer-term goal is to reach 2 billion euros in defence tech revenue by 2030, focusing on disruptive, offensive technologies.

The region’s defence tech startups are benefiting from a shift in investor sentiment, with venture capital pouring into areas like AI, quantum computing, and cybersecurity. Despite initial doubts about the sector’s growth, the continuing conflict in Ukraine has ensured that defence technology remains a critical priority.

For more information on these topics, visit diplomacy.edu.

Rising foreign cyber threats test Philippine security

The Philippines has reported attempts by foreign actors to infiltrate government intelligence systems, though no breaches have occurred, according to Cyber Minister Ivan Uy.

Advanced Persistent Threats (APTs), often linked to state-backed groups, have persistently targeted the nation but failed to compromise its cybersecurity defences.

Uy highlighted that some threats, described as ‘sleepers’, had been embedded in systems before being uncovered through government cybersecurity measures. He expressed concerns about such threats operating undetected for extended periods.

Efforts to trace the origins of these attacks are challenging, as hackers often leave misleading evidence. Diplomatic cooperation and intelligence sharing with the military and international allies have become key tools in countering these threats.

Last year, the government successfully thwarted cyberattacks allegedly originating in China, including attempts to breach systems related to maritime security. Uy noted that global cyber conflicts resemble a ‘non-kinetic World War III’, with nations and organisations exploiting digital vulnerabilities for strategic or financial gain.

In addition to cyberattacks, the Philippines is grappling with rising misinformation, deepfakes, and ‘fake news media outlets’ ahead of its mid-term elections in May.

The ministry has deployed tools to counter these risks, emphasising their potential to harm democracies reliant on informed public opinion during elections.

For more information on these topics, visit diplomacy.edu.

Pro-Russian hackers target Italian banks and airports in cyber attack

A wave of cyber attacks hit around 20 Italian websites, including those of banks and airports, in an incident linked to rising tensions between Rome and Moscow.

Italy‘s cybersecurity agency attributed the attacks to the pro-Russian hacker group Noname057(16), which targeted websites such as Intesa Sanpaolo, Banca Monte dei Paschi, Iccrea Banca, and Milan’s Linate and Malpensa airports. Authorities reported no major disruptions.

The attack followed recent remarks by Italian President Sergio Mattarella, who compared Russia‘s war on Ukraine to Nazi Germany‘s expansionism.

Moscow condemned the statement, while Italian Prime Minister Giorgia Meloni defended it. The hackers cited Mattarella’s comments as motivation for their actions, according to Italy’s cybersecurity agency.

Noname057(16) previously claimed responsibility for a cyber attack on Italy in December, which targeted around 10 institutional websites. Some of the affected organisations declined to comment on the latest breach, while others reported no operational impact. Italian authorities continue to monitor the situation.

For more information on these topics, visit diplomacy.edu.

Google: Cybercrime now a national security threat, enabling state-backed attacks

A new report from Google states that cybercrime continues to expand, intersecting with state-backed cyber operations. Released ahead of the Munich Security Conference, research from Google’s Threat Intelligence Group and Mandiant outlines findings from their investigations in 2024 and trends observed over the past four years.

In 2024, Mandiant consultants responded to nearly four times as many incidents involving financially motivated actors compared to state-backed intrusions. However, the report notes that state-affiliated groups are increasingly leveraging cybercriminal tools and services, and at the same time ‘cybercrime receives much less attention from national security practitioners than the threat from state-backed groups‘.

According to Google, financially motivated and state-backed cyber activities are becoming more interconnected. Cybercriminal ecosystems facilitate the acquisition of malware, vulnerabilities, and operational support, offering lower-cost alternatives to state-developed capabilities.

The report emphasises that while cybercrime and state-backed cyber operations increasingly overlap, responses to these threats require distinct strategies. Cybercrime often involves networks operating across jurisdictions, necessitating international collaboration to address its impact effectively.

For more information on these topics, visit diplomacy.edu.

Former GCHQ chief calls for transparency amid UK’s attempt to access encrypted iCloud accounts

A controversy has emerged over the British government’s reported attempt to compel Apple to grant authorities access to encrypted iCloud accounts, leading to calls for increased transparency from intelligence agencies. Sir Jeremy Fleming, the former head of the UK’s GCHQ from 2017 to 2023, addressed this issue at the Munich Cyber Security Conference, highlighting the need for public understanding and trust in intelligence operations. He emphasised that an agency’s ‘license to operate’ should be grounded in transparency.

The UK government has contested the description of a ‘back door’ in relation to the notice, clarifying that it seeks to ensure Apple maintains the capability to provide iCloud data in response to lawful warrants, a function that existed prior to the introduction of end-to-end encryption for iCloud in December 2022.

Since 2020, Apple has provided iCloud data to UK authorities in response to four of more than 6,000 legal requests for customer information under non-IPA laws. However, this data excludes requests made under the Investigatory Powers Act (IPA), the UK’s primary law for accessing tech company data.

Fleming emphasised the importance of intelligence agencies providing clear explanations of their operations, particularly in relation to new technologies. He pointed out the need for a better understanding of how intelligence agencies operate in practice, particularly as technological advancements change their methods.

For more information on these topics, visit diplomacy.edu.

Europol arrests four Russians in ransomware crackdown

Authorities have arrested four Russian nationals suspected of deploying Phobos ransomware to extort payments from victims across Europe and beyond. Europol announced that law enforcement agencies from 14 countries worked together to dismantle the network, taking down 27 servers linked to the cybercriminals. The individuals arrested were reportedly leaders of the 8Base ransomware group, a key player in distributing Phobos malware.

The operation follows a series of recent arrests targeting Phobos-related cybercrime. In June 2024, a key administrator of the ransomware was apprehended in South Korea and later extradited to the United States, while another major affiliate was arrested in Italy last year. Authorities have since issued warnings to over 400 companies worldwide about imminent cyberattacks.

Phobos ransomware has been particularly damaging to small and medium-sized businesses, which often lack strong cybersecurity protections. Europol’s latest Russian crackdown is a significant step in weakening the ransomware network and preventing further cyber extortion efforts.

For more information on these topics, visit diplomacy.edu

Bloomberg: Google drops pledge to avoid harmful AI uses, including weapons

Google has removed a key passage from its AI principles that previously committed to steering clear of potentially harmful applications, including weapons. The now-missing section, titled ‘AI applications we will not pursue,’ explicitly stated that the company would not develop technologies likely to cause harm, as seen in archived versions of the page reviewed by Bloomberg.

The change has sparked concern among AI ethics experts. Margaret Mitchell, former co-lead of Google’s ethical AI team and now chief ethics scientist at Hugging Face, criticised the move. ‘Having that removed is erasing the work that so many people in the ethical AI space and the activist space as well had done at Google, and more problematically, it means Google will probably now work on deploying technology directly that can kill people,’ she said.

With ethics guardrails shifting, questions remain about how Google will navigate the evolving AI landscape—and whether its revised stance signals a broader industry trend toward prioritising market dominance over ethical considerations.