Cyber operations against NATO’s aid mission in Turkey and Syria (2023): Difference between revisions

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Content added Content deleted
VisualWikitext
(proofreading, minor edits)
mNo edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{| class="wikitable"
{| class="wikitable"
! scope="row"|Date
! scope="row"|Date
|During the days following the 2023 Turkey Syria earthquake. After one of the strongest earthquakes in the area, which happened on 6 February 2023,<ref>Center for Disaster Philantrophy, "[https://disasterphilanthropy.org/disasters/2023-turkey-syria-earthquake 2023 Turkey-Syria Earthquake]" 22 September 2023</ref> many states and organizations provided support and aid to the affected area. The attack happened on 12 February 2023 when the first reports spoke about unavailability of NATO websites.<ref name=":0">J Kilner and D Milward, "[https://www.telegraph.co.uk/world-news/2023/02/12/russian-killnet-hackers-disrupt-natos-turkey-syria-earthquake/ Russian hackers disrupt Turkey-Syria earthquake relief]" 12 February 2023, ''The Telegraph''</ref>
|12 February 2023.<ref name=":0">J Kilner and D Milward, "[https://www.telegraph.co.uk/world-news/2023/02/12/russian-killnet-hackers-disrupt-natos-turkey-syria-earthquake/ Russian hackers disrupt Turkey-Syria earthquake relief]" 12 February 2023, ''The Telegraph''</ref> The cyber operations took place in the aftermath of a massive earthquake, which happened on 6 February 2023 and affected Turkey and Syria.<ref>Center for Disaster Philantrophy, "[https://disasterphilanthropy.org/disasters/2023-turkey-syria-earthquake 2023 Turkey-Syria Earthquake]" 22 September 2023</ref> In response, many states and organizations provided support and aid to the affected areas.
|-
|-
! scope="row"|Suspected actor
! scope="row"|Suspected actor
|KillNet, a hacktivist group suspected to be connected to Russia. Its focus mirrors the objectives of Russia although no direct link to the Russian institutions has been uncovered.<ref>Mandiant, "[https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics KillNet Showcases New Capabilities While Repeating Older Tactics]" 20 July 2023</ref> The supposed founder of the KillNet group (KillMilk) put out an information about the start of the attack on one of the Telegram channels used by the group.<ref name=":1">R Daws, "[https://www.telecomstechnews.com/news/2023/feb/13/russian-hackers-disrupt-nato-comms-earthquake-relief/ Russian hackers disrupt NATO comms used for earthquake relief]" 13 February 2023, ''Telecoms Tech News''</ref>
|KillNet, a hacktivist group suspected to be connected to Russia. Its focus allegedly mirrors the objectives of Russia although no direct link to the Russian institutions has been uncovered.<ref>Mandiant, "[https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics KillNet Showcases New Capabilities While Repeating Older Tactics]" 20 July 2023</ref> The supposed founder of the KillNet group (KillMilk) posted a message about the start of the attack on one of the Telegram channels used by the group.<ref name=":1">R Daws, "[https://www.telecomstechnews.com/news/2023/feb/13/russian-hackers-disrupt-nato-comms-earthquake-relief/ Russian hackers disrupt NATO comms used for earthquake relief]" 13 February 2023, ''Telecoms Tech News''</ref>
|-
|-
! scope="row"|Target
! scope="row"|Target
|NATO and the Strategic Airlift Capability (SAC)<ref>"[https://www.sacprogram.org/about-us The Strategic Airlift Capability]"</ref> - multinational initiative to provide airlift capability - operating 3 Globemaster C-17 aircrafts it provides humanitarian or military support. It is closely tied to NATO through the NATO Airlift Management Programme, which is a legal entity under which SAC operates, and which is a part of the NATO Support and Procurement Agency (NSPA).<ref>"[https://www.sacprogram.org/about-us/namp NATO Airlift Management Programme Office]" </ref> NSPA´s webpage was one of the targeted sites.<ref name=":1" />
|The apparent targets included NATO and the Strategic Airlift Capability (SAC)<ref>"[https://www.sacprogram.org/about-us The Strategic Airlift Capability]"</ref>, a multinational initiative to provide airlift capability for humanitarian or military support. It is closely tied to NATO through the NATO Airlift Management Programme, which is a legal entity under which SAC operates, and which is a part of the NATO Support and Procurement Agency (NSPA).<ref>"[https://www.sacprogram.org/about-us/namp NATO Airlift Management Programme Office]" </ref> NSPA´s webpage was one of the targeted sites.<ref name=":1" />
|-
|-
!Targeted Systems
!Targeted Systems
Line 13: Line 13:
|-
|-
! scope="row" |Method
! scope="row" |Method
|Series of coordinated DDoS (distributed denial-of-service) attacks. It was announced as an "attack on all NATO units".<ref name=":1" />
|Series of coordinated [[Glossary#DDoS|DDoS (distributed denial-of-service) attacks]]. It was announced as an "attack on all NATO units".<ref name=":1" />
|-
|-
! scope="row" |Purpose
! scope="row" |Purpose
|Not stated publicly but the attack was in accord with ongoing general focus of KillNet on governments and organizations sided with Ukraine during the Russian invasion of 2022.<ref>C Warner, "[https://warnerchad.medium.com/killnet-who-what-where-why-how-971eee52a7c5 KillNet: Who, What, Where, Why, How]" 12 October 2022, ''Medium''</ref> Some cyber experts are of the opinion that the purpose was specifically to disrupt the ongoing humanitarian efforts in Turkey and Syria.<ref name=":1" />
|Not stated publicly but the attack was in accord with ongoing general focus of KillNet on governments and organizations supporting Ukraine during the ongoing Russia-Ukraine international armed conflict.<ref>C Warner, "[https://warnerchad.medium.com/killnet-who-what-where-why-how-971eee52a7c5 KillNet: Who, What, Where, Why, How]" 12 October 2022, ''Medium''</ref> Some cyber experts are of the opinion that the purpose was specifically to disrupt the ongoing humanitarian efforts in Turkey and Syria.<ref name=":1" />
|-
|-
! scope="row" |Result
! scope="row" |Result
|It was reported that because of the attack NATO´s NR network faced issues. This network is supposed to be used to transfer sensitive data. This supposedly affected the communication between the SAC and one of the aircrafts but its crew was informed of it by other means so some sort of contact with the aircraft was still possible.<ref name=":0" /> No damage to the aircraft was reported.
|It was reported that because of the attack NATO's NR network faced issues. This network is supposed to be used to transfer sensitive data. This supposedly affected the communication between the SAC and one of the aircraft but its crew was informed of it by other means so some sort of contact with the aircraft was still possible.<ref name=":0" /> No damage to the aircraft was reported.
|-
|-
! scope="row" |Aftermath
! scope="row" |Aftermath
Line 26: Line 26:
! scope="row" |Analysed in
! scope="row" |Analysed in
|[[Scenario 13: Cyber operations as a trigger of the law of armed conflict]]
|[[Scenario 13: Cyber operations as a trigger of the law of armed conflict]]
[[Scenario 25: Cyber disruption of humanitarian assistance]]

[[Scenario 28: Extraterritorial incidental civilian cyber harm]]
[[Scenario 28: Extraterritorial incidental civilian cyber harm]]
|}
|}

Latest revision as of 16:26, 13 November 2023

Date 12 February 2023.[1] The cyber operations took place in the aftermath of a massive earthquake, which happened on 6 February 2023 and affected Turkey and Syria.[2] In response, many states and organizations provided support and aid to the affected areas.
Suspected actor KillNet, a hacktivist group suspected to be connected to Russia. Its focus allegedly mirrors the objectives of Russia although no direct link to the Russian institutions has been uncovered.[3] The supposed founder of the KillNet group (KillMilk) posted a message about the start of the attack on one of the Telegram channels used by the group.[4]
Target The apparent targets included NATO and the Strategic Airlift Capability (SAC)[5], a multinational initiative to provide airlift capability for humanitarian or military support. It is closely tied to NATO through the NATO Airlift Management Programme, which is a legal entity under which SAC operates, and which is a part of the NATO Support and Procurement Agency (NSPA).[6] NSPA´s webpage was one of the targeted sites.[4]
Targeted Systems Various NATO websites. Disruption of one of them resulted in the SAC losing contact with one of the planes whilst it was in flight.[7]
Method Series of coordinated DDoS (distributed denial-of-service) attacks. It was announced as an "attack on all NATO units".[4]
Purpose Not stated publicly but the attack was in accord with ongoing general focus of KillNet on governments and organizations supporting Ukraine during the ongoing Russia-Ukraine international armed conflict.[8] Some cyber experts are of the opinion that the purpose was specifically to disrupt the ongoing humanitarian efforts in Turkey and Syria.[4]
Result It was reported that because of the attack NATO's NR network faced issues. This network is supposed to be used to transfer sensitive data. This supposedly affected the communication between the SAC and one of the aircraft but its crew was informed of it by other means so some sort of contact with the aircraft was still possible.[1] No damage to the aircraft was reported.
Aftermath Nothing to note. It was reported that the NATO cyber experts were actively addressing the incident and two days later the secretary general of NATO remarked that some websites still experienced availability issues.[9]
Analysed in Scenario 13: Cyber operations as a trigger of the law of armed conflict

Scenario 25: Cyber disruption of humanitarian assistance

Scenario 28: Extraterritorial incidental civilian cyber harm

Collected by: Otakar Horák

  1. 1.0 1.1 J Kilner and D Milward, "Russian hackers disrupt Turkey-Syria earthquake relief" 12 February 2023, The Telegraph
  2. Center for Disaster Philantrophy, "2023 Turkey-Syria Earthquake" 22 September 2023
  3. Mandiant, "KillNet Showcases New Capabilities While Repeating Older Tactics" 20 July 2023
  4. 4.0 4.1 4.2 4.3 R Daws, "Russian hackers disrupt NATO comms used for earthquake relief" 13 February 2023, Telecoms Tech News
  5. "The Strategic Airlift Capability"
  6. "NATO Airlift Management Programme Office"
  7. K Plummer, "Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato" 13 February 2023, The Independent
  8. C Warner, "KillNet: Who, What, Where, Why, How" 12 October 2022, Medium
  9. A Scroxton, "Killnet DDoS attacks disrupt Nato websites" 13 February 2023, ComputerWeekly
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Cyber_operations_against_NATO’s_aid_mission_in_Turkey_and_Syria_(2023)?oldid=3961"