Cyber operations against NATO’s aid mission in Turkey and Syria (2023)
| Date | During the days following the 2023 Turkey – Syria earthquake. After one of the strongest earthquakes in the area, which happened on 6 February 2023,[1] many states and organizations provided support and aid to the affected area. The attack happened on 12 February 2023 when the first reports spoke about unavailability of NATO websites.[2] |
|---|---|
| Suspected actor | KillNet, a hacktivist group suspected to be connected to Russia. Its focus mirrors the objectives of Russia although no direct link to the Russian institutions has been uncovered.[3] The supposed founder of the KillNet group (KillMilk) put out an information about the start of the attack on one of the Telegram channels used by the group.[4] |
| Target | NATO and the Strategic Airlift Capability (SAC)[5] - multinational initiative to provide airlift capability - operating 3 Globemaster C-17 aircrafts it provides humanitarian or military support. It is closely tied to NATO through the NATO Airlift Management Programme, which is a legal entity under which SAC operates, and which is a part of the NATO Support and Procurement Agency (NSPA).[6] NSPA´s webpage was one of the targeted sites.[4] |
| Targeted Systems | Various NATO websites. Disruption of one of them resulted in the SAC losing contact with one of the planes whilst it was in flight.[7] |
| Method | Series of coordinated DDoS (distributed denial-of-service) attacks. It was announced as an "attack on all NATO units".[4] |
| Purpose | Not stated publicly but the attack was in accord with ongoing general focus of KillNet on governments and organizations sided with Ukraine during the Russian invasion of 2022.[8] Some cyber experts are of the opinion that the purpose was specifically to disrupt the ongoing humanitarian efforts in Turkey and Syria.[4] |
| Result | It was reported that because of the attack NATO´s NR network faced issues. This network is supposed to be used to transfer sensitive data. This supposedly affected the communication between the SAC and one of the aircrafts but its crew was informed of it by other means so some sort of contact with the aircraft was still possible.[2] No damage to the aircraft was reported. |
| Aftermath | Nothing to note. It was reported that the NATO cyber experts were actively addressing the incident and two days later the secretary general of NATO remarked that some websites still experienced availability issues.[9] |
| Analysed in | Scenario 13: Cyber operations as a trigger of the law of armed conflict
Scenario 28: Extraterritorial incidental civilian cyber harm |
Collected by: Otakar Horák
- ↑ Center for Disaster Philantrophy, "2023 Turkey-Syria Earthquake" 22 September 2023
- ↑ 2.0 2.1 J Kilner and D Milward, "Russian hackers disrupt Turkey-Syria earthquake relief" 12 February 2023, The Telegraph
- ↑ Mandiant, "KillNet Showcases New Capabilities While Repeating Older Tactics" 20 July 2023
- ↑ 4.0 4.1 4.2 4.3 R Daws, "Russian hackers disrupt NATO comms used for earthquake relief" 13 February 2023, Telecoms Tech News
- ↑ "The Strategic Airlift Capability"
- ↑ "NATO Airlift Management Programme Office"
- ↑ K Plummer, "Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato" 13 February 2023, The Independent
- ↑ C Warner, "KillNet: Who, What, Where, Why, How" 12 October 2022, Medium
- ↑ A Scroxton, "Killnet DDoS attacks disrupt Nato websites" 13 February 2023, ComputerWeekly