Cyberconflict and warfare

US reassessment of Russian cyber threat signals strategic shift in cyber geopolitics

The Guardian reports on the shift in the USA digital diplomacy with a major impact on global cyber geopolitics. After rumours of dropping Russia as a cyber threat, the first public signal on this shift was the USA’s statement at the UN working group meeting on cybersecurity when Liesyl Franz, a US representative, did not indicate Russia as a cyber threat alongside China and Iran. It is a significant shift in the USA digital diplomacy and cyber geopolitics.

The US representative also omitted usual USA references to allies and partners in cyber politics. The Guardian reports on various concerns of this shift, including a view of James Lewis, USA cybersecurity veteran: ‘It’s incomprehensible to give a speech about threats in cyberspace and not mention Russia, and it’s delusional to think this will turn Russia and the FSB [the Russian security agency] into our friends.’

This repositioning aligns with ongoing efforts to improve US-Russia relations, contrasting starkly with European allies’ views on the threat posed by Russia. It remains to be seen if this shift relates only to cybersecurity or it the US will revisit other aspects related to AI and digital governance.

For more information on these topics, visit diplomacy.edu.

Democrats call for clarification on cyber pause against Russia

Democratic lawmakers are calling for an explanation from the Pentagon after reports surfaced about an order to pause offensive cyber operations against Russia during sensitive negotiations aimed at ending the war in Ukraine.

The decision to halt such operations, which disrupt rival computer networks, is not unusual in the context of diplomatic efforts but has raised concerns among lawmakers. The order was first reported by The Record and later confirmed by two anonymous sources familiar with the matter.

Senate Minority Leader Chuck Schumer criticised the move, calling it a ‘critical strategic mistake’ and arguing that ‘the best defence is always a strong offence’, especially in cybersecurity.

Representative Adam Smith, the top Democrat on the House Armed Services Committee, also demanded that the Pentagon provide Congress with details regarding the scope of the pause and its potential impact on US allies. He further questioned whether a risk assessment was made before the decision.

The Pentagon declined to comment on the matter, citing operational security concerns. The pause in cyber operations comes amid rising tensions surrounding President Donald Trump’s recent dealings with Russia, including a public clash with Ukrainian President Volodymyr Zelenskiy.

Trump has shifted US policy by engaging in talks with Moscow and openly criticising Zelenskiy, suggesting that America could pull its support for Ukraine if the war does not end soon.

For more information on these topics, visit diplomacy.edu.

US pauses cyber operations against Russia

US Defense Secretary Pete Hegseth has ordered a pause on all cyber operations against Russia, including offensive actions, as part of a broader reassessment of US operations related to Russia. The duration and specifics of the pause remain unclear, according to multiple US media reports. The Pentagon declined to comment on the matter, citing operational security concerns.

This move comes amid US President Donald Trump’s push for negotiations to end the war in Ukraine, as well as his recent criticism of Ukrainian President Volodymyr Zelensky. Trump has positioned himself as a mediator between Russian President Vladimir Putin and Zelensky, calling for less focus on Putin.

Despite media reports suggesting a shift in cyber strategy, US National Security Adviser Mike Waltz denied any policy change regarding cyber operations against Russia. He emphasised that efforts to end the war would continue with a range of diplomatic and strategic tools.

For more information on these topics, visit diplomacy.edu.

Philippine army investigates cyberattack on its networks

The Philippine Army has acknowledged a cyberattack after a local hacking group claimed responsibility for breaching its systems and accessing sensitive documents.

Army spokesperson Col. Louie Dema-ala confirmed the event, describing it as an “illegal access attempt” that was quickly contained. While the group behind the attack has been identified, no damage or data theft has been reported at this time.

Earlier this week, the Philippine digital security advocacy group Deep Web Konek reported that the hacker group Exodus Security claimed to have compromised 10,000 records of active and retired service members. The leaked information allegedly includes personal and military data, such as names, ranks, addresses, medical records, financial information, and criminal histories. However, the authenticity and exact scope of the data have yet to be independently verified.

Philippine authorities have also reported recent attempts by foreign actors to access intelligence data. Minister for Information and Communications Ivan Uy stated that foreign state-sponsored hackers had attempted but failed to infiltrate government systems.

In January, authorities arrested a Chinese national and two Filipino citizens accused of surveilling critical infrastructure, including military sites.

For more information on these topics, visit diplomacy.edu.

Cyber threats in 2024 shift to AI-driven attacks and cloud exploits, says CrowdStrike

A new report from CrowdStrike, the US-based cybersecurity company, examines the evolution of cyber threats in 2024, identifying shifts toward malware-free intrusions, artificial intelligence-assisted social engineering, and cloud-related vulnerabilities.

The researchers highlight an increase in cyber activity attributed to state-linked actors, a rise in identity-based attacks, and the growing role of generative AI in cyber operations. According to the report, 79% of cyber intrusions in 2024 did not involve traditional malware, compared to 40% in 2019. Attackers increasingly relied on remote management and monitoring tools to evade security measures. The average breakout time—the time taken for an attacker to move laterally within a compromised network—decreased to 48 minutes, with some intrusions occurring in under one minute.

The report also highlights an increased reliance on exploiting vulnerabilities, particularly for initial access. More than 52% of vulnerabilities observed in 2024 were related to gaining an initial foothold in a system, underscoring the importance of securing entry points. Attackers increasingly leveraged chained vulnerability exploits—where multiple flaws are exploited in succession—to enhance their chances of success.

Cloud security incidents also saw an increase, with valid account abuse accounting for 35% of cloud-related intrusions. Attackers focused on services such as Microsoft 365 and SharePoint, as well as enterprise APIs, to gain unauthorized access and extract data. The report emphasizes that more than half of observed vulnerabilities in 2024 were related to initial access, with an increase in attacks using chained vulnerability exploits.

Generative AI played a growing role in cyber operations, including phishing, deepfake-based social engineering, and automated disinformation campaigns. The report cites activity from groups leveraging AI-powered tactics, such as the use of fake job interviews to infiltrate technology firms.

For more information on these topics, visit diplomacy.edu.

FBI says North Korea behind $1.5bn crypto heist

North Korean hackers have recorded the largest cryptocurrency theft, stealing approximately $1.5bn from the Dubai-based exchange ByBit. According to the FBI, the stolen funds have already been converted into Bitcoin and spread across thousands of blockchain addresses. The attack highlights North Korea’s growing expertise in cybercrime, with proceeds believed to be funding its nuclear weapons programme.

The notorious Lazarus Group, linked to the regime, has been responsible for several high-profile hacks, including the theft of over $1.3bn in cryptocurrency last year. Experts say the group employs advanced malware and social engineering tactics to breach exchanges and launder stolen assets into fiat currency. These funds are critical for bypassing international sanctions and financing North Korea’s military ambitions.

Beyond cybercrime, Pyongyang has deepened its ties with Russia, allegedly supplying troops and weapons in exchange for financial backing and technological expertise. Meanwhile, the regime has recently reopened its borders to a limited number of international tourists, aiming to generate much-needed foreign income. As global scrutiny intensifies, concerns are growing over North Korea’s increasing reliance on illicit activities to prop up its economy and expand its military power.

For more information on these topics, visit diplomacy.edu

EU Commission proposes enhanced cyber crisis management framework

The EU Commission introduced a proposal aimed at strengthening the EU’s response to large-scale cyber attacks. This recommendation to the Council of Ministers seeks to update the existing EU framework for crisis management in cybersecurity and outline the roles of relevant EU actors, including civilian and military entities as well as NATO.

Specifically, the proposal aims to establish coordination points with NATO to facilitate information sharing during cyber crises, including interconnections between systems. If Member States deploy defense initiatives during a cybersecurity incident, they must inform EU-CyCLONe and the EU Cyber Commanders Conference.

The High Representative, in collaboration with the Commission and relevant entities, should facilitate information flow with strategic partners during identified incidents and enhance coordination against malicious cyber activities using the cyber diplomacy toolbox. Joint exercises should be organized to test cooperation between civilian and military components during significant incidents, including those affecting NATO allies and candidate countries.

The Commission noted that a significant cybersecurity incident could overwhelm the response capabilities of individual Member States and impact multiple EU countries, potentially leading to a crisis that disrupts the internal market and poses risks to public safety. It encourages the establishment of voluntary collaborative clusters to foster cooperation and trust in cybersecurity. Member States can create these clusters based on existing information-sharing frameworks, focusing on common threats while adhering to the mandates of participating actors.

The document emphasizes the importance of a comprehensive and integrated approach to crisis management across all sectors and levels of government. It highlights that if cybersecurity incidents are part of a broader hybrid campaign, stakeholders should collaborate to develop a unified situational awareness across sectors.

Within twelve months of adopting the cybersecurity blueprint, Member States must develop a unified taxonomy for cyber crisis management and establish guidelines for the secure handling of cybersecurity information. The proposal emphasises avoiding over-classification to promote the sharing of non-classified information through established cooperation platforms.

To enhance preparedness for crises and improve organizational efficiency, Member States and relevant entities should conduct ongoing cyber exercises based on scenarios derived from EU-coordinated risk assessments, aligning with existing crisis response mechanisms. Smaller exercises should test interactions during escalating incidents, while the Commission, EEAS, and ENISA will organize an exercise within eighteen months to evaluate the cybersecurity blueprint, involving all relevant stakeholders, including the private sector.

The proposal also recommends that Member States and critical infrastructure operators integrate at least one Union-based DNS infrastructure, such as DNS4EU, to ensure reliable services during crises. ENISA and EU-CyCLONe are tasked with creating emergency failover guidelines for transitioning to Union-based DNS in case of service failures.

While the cybersecurity blueprint does not interfere with how entities define their internal procedures, each entity should clearly define the interfaces used for working with other entities. These interfaces should be jointly agreed upon between the entities concerned and documented.

National and cross-border cyber hubs should share threat information to bolster protection against Union-specific threats, and Member States are encouraged to engage in a multistakeholder forum to identify best practices and standards for securing critical Internet infrastructure. Public and private entities should implement threat-informed detection strategies to proactively identify potential disruptions. They must share information about covert operations with partners before crises escalate and report potential cyber crises to relevant networks, while the CSIRTs Network and EU-CyCLONe establish procedures for coordinating responses to large-scale incidents.

For more information on these topics, visit diplomacy.edu.

China and North Korea-linked accounts shut down by OpenAI

OpenAI has removed accounts linked to users in China and North Korea over concerns they were using ChatGPT for malicious activities.

The company cited cases of AI-generated content being used for surveillance, influence campaigns, and fraudulent schemes. AI tools were employed to detect the operations.

Some accounts produced news articles in Spanish that criticised the US and were later published under a Chinese company’s byline. Others, potentially connected to North Korea, created fake resumes and online profiles in an attempt to secure jobs at Western firms.

A separate operation, believed to be tied to financial fraud in Cambodia, used ChatGPT to generate and translate comments on social media.

The US government has raised concerns over China’s use of AI to spread misinformation and suppress its population. Security risks associated with AI-driven disinformation and fraudulent activities have led to increased scrutiny of how such tools are being used globally.

OpenAI’s ChatGPT remains the most widely used AI chatbot, with over 400 million weekly active users. The company is also in discussions to secure up to $40 billion in funding, which could set a record for a private firm.

For more information on these topics, visit diplomacy.edu.

Estonia leads the charge in defence tech investment

Estonia, a small Baltic nation with a population of 1.4 million, has emerged as a leader in the rush to fund defence projects in response to Russia’s 2022 invasion of Ukraine. With heightened security concerns in the region, particularly among the Baltic states that share a border with Russia, Estonia has leveraged its thriving tech sector to fuel investment in defence technologies. The war has created an urgent need for innovation, prompting tech entrepreneurs such as Sten Tamkivi, a former Skype executive, to direct investment towards defence, European sovereignty, and security solutions.

Estonia’s role in supporting emerging defence companies is made possible by the country’s strong network of tech unicorns and wealthy entrepreneurs. With companies like Skype, TransferWise, and Bolt originating from Estonia, local tech executives have the financial resources to invest in critical military technologies. Moreover, Estonia’s proximity to Ukraine allows for rapid collaboration on the frontlines, testing new technologies such as AI-driven defence tools and drones. This has positioned the country as a central player in Europe’s defence tech landscape, with the number of defence-focused funding rounds in Eastern Europe growing sharply since the war began.

Across Central and Eastern Europe, the growing interest in defence tech is evident, with funds like Presto Ventures in Prague also tapping into the sector. The Czech Republic has launched initiatives to support small enterprises in defence, while Estonia has introduced a 100 million euro fund to support the development of its own defence tech ecosystem. Estonia’s longer-term goal is to reach 2 billion euros in defence tech revenue by 2030, focusing on disruptive, offensive technologies.

The region’s defence tech startups are benefiting from a shift in investor sentiment, with venture capital pouring into areas like AI, quantum computing, and cybersecurity. Despite initial doubts about the sector’s growth, the continuing conflict in Ukraine has ensured that defence technology remains a critical priority.

For more information on these topics, visit diplomacy.edu.

Rising foreign cyber threats test Philippine security

The Philippines has reported attempts by foreign actors to infiltrate government intelligence systems, though no breaches have occurred, according to Cyber Minister Ivan Uy.

Advanced Persistent Threats (APTs), often linked to state-backed groups, have persistently targeted the nation but failed to compromise its cybersecurity defences.

Uy highlighted that some threats, described as ‘sleepers’, had been embedded in systems before being uncovered through government cybersecurity measures. He expressed concerns about such threats operating undetected for extended periods.

Efforts to trace the origins of these attacks are challenging, as hackers often leave misleading evidence. Diplomatic cooperation and intelligence sharing with the military and international allies have become key tools in countering these threats.

Last year, the government successfully thwarted cyberattacks allegedly originating in China, including attempts to breach systems related to maritime security. Uy noted that global cyber conflicts resemble a ‘non-kinetic World War III’, with nations and organisations exploiting digital vulnerabilities for strategic or financial gain.

In addition to cyberattacks, the Philippines is grappling with rising misinformation, deepfakes, and ‘fake news media outlets’ ahead of its mid-term elections in May.

The ministry has deployed tools to counter these risks, emphasising their potential to harm democracies reliant on informed public opinion during elections.

For more information on these topics, visit diplomacy.edu.