Cyber operations against NATO’s aid mission in Turkey and Syria (2023)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date 12 February 2023.[1] The cyber operations took place in the aftermath of a massive earthquake, which happened on 6 February 2023 and affected Turkey and Syria.[2] In response, many states and organizations provided support and aid to the affected areas.
Suspected actor KillNet, a hacktivist group suspected to be connected to Russia. Its focus allegedly mirrors the objectives of Russia although no direct link to the Russian institutions has been uncovered.[3] The supposed founder of the KillNet group (KillMilk) posted a message about the start of the attack on one of the Telegram channels used by the group.[4]
Target The apparent targets included NATO and the Strategic Airlift Capability (SAC)[5], a multinational initiative to provide airlift capability for humanitarian or military support. It is closely tied to NATO through the NATO Airlift Management Programme, which is a legal entity under which SAC operates, and which is a part of the NATO Support and Procurement Agency (NSPA).[6] NSPA´s webpage was one of the targeted sites.[4]
Targeted Systems Various NATO websites. Disruption of one of them resulted in the SAC losing contact with one of the planes whilst it was in flight.[7]
Method Series of coordinated DDoS (distributed denial-of-service) attacks. It was announced as an "attack on all NATO units".[4]
Purpose Not stated publicly but the attack was in accord with ongoing general focus of KillNet on governments and organizations supporting Ukraine during the ongoing Russia-Ukraine international armed conflict.[8] Some cyber experts are of the opinion that the purpose was specifically to disrupt the ongoing humanitarian efforts in Turkey and Syria.[4]
Result It was reported that because of the attack NATO's NR network faced issues. This network is supposed to be used to transfer sensitive data. This supposedly affected the communication between the SAC and one of the aircraft but its crew was informed of it by other means so some sort of contact with the aircraft was still possible.[1] No damage to the aircraft was reported.
Aftermath Nothing to note. It was reported that the NATO cyber experts were actively addressing the incident and two days later the secretary general of NATO remarked that some websites still experienced availability issues.[9]
Analysed in Scenario 13: Cyber operations as a trigger of the law of armed conflict

Scenario 25: Cyber disruption of humanitarian assistance

Scenario 28: Extraterritorial incidental civilian cyber harm

Collected by: Otakar Horák

  1. 1.0 1.1 J Kilner and D Milward, "Russian hackers disrupt Turkey-Syria earthquake relief" 12 February 2023, The Telegraph
  2. Center for Disaster Philantrophy, "2023 Turkey-Syria Earthquake" 22 September 2023
  3. Mandiant, "KillNet Showcases New Capabilities While Repeating Older Tactics" 20 July 2023
  4. 4.0 4.1 4.2 4.3 R Daws, "Russian hackers disrupt NATO comms used for earthquake relief" 13 February 2023, Telecoms Tech News
  5. "The Strategic Airlift Capability"
  6. "NATO Airlift Management Programme Office"
  7. K Plummer, "Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato" 13 February 2023, The Independent
  8. C Warner, "KillNet: Who, What, Where, Why, How" 12 October 2022, Medium
  9. A Scroxton, "Killnet DDoS attacks disrupt Nato websites" 13 February 2023, ComputerWeekly