Cyber Intelligence Operations in Armed Conflicts
With cyberspace becoming the 5th battlefield, modern warfare must consider this threat and also know how to utilize the advantages it brings. Guest author Jeremy Makowski explains
Cybertech
| 17/01/2024
Photo credit: BELGA via Reuters Connect
For several years, symmetrical and asymmetrical wars have been initiated in cyberspace, which, over time, became the fifth battlefield after land, sea, air, and space. Today, more than ever, cybernetic means are part of the attack arsenal used by both state armies and terrorist groups. In addition to offensive cyber operations, today’s modern conflicts include cyber intelligence operations as part of the strategy.
The civilian and military world is increasingly connected to numerous wireless devices (smartphones, smartwatches, tablets, GoPro cameras, CCTV, etc.), which opens up new opportunities for gathering intelligence on the enemy. Cyber intelligence operations are generally divided into several complementary activities, including OSINT, Cyber HUMINT, and the development and delivery of spyware. Cyber intelligence became, over time, a very useful method to collect information on targets, infrastructures, and troop movements on the ground. In armed conflicts, state-sponsored and terrorist groups use social engineering techniques, referring to psychological manipulation and deception, to obtain unauthorized access to sensitive military information, critical facilities, or resources for strategic purposes.
Social Networks and Applications
Cyber intelligence operations through social networks are a classic way of approaching people and gathering sensitive information. The intrinsic nature of social networks, whose primary purpose is to exchange and publish information relating to personal and professional life, makes them an ideal hunting ground for many hacker groups or intelligence services.
Threat actors affiliated with Iran, China, Russia, or even terrorist groups such as Hamas or Hezbollah regularly use social networks as a vector to establish close relationships with their targets. They create fake profiles, generally of attractive women, on main social networks like LinkedIn and Facebook, which enable them to abuse human weakness and manipulate key people to infect them with spyware. The following recent events illustrate the use of social networks and applications in cyber intelligence operations:
- In August 2023, it was reported by the German newspaper Welt am Sonntag, and confirmed by the German military counter-espionage service, MAD, that Russian intelligence agents were specifically looking on the dating application Tinder for politicians and members of the German armed forces attempting to recruit them.
- In November 2023, Israeli army spokesperson Daniel Hagari said that the IDF’s information security system thwarted an infrastructure of avatars that operated on social media to leak information about the forces and activities of the Israeli army. Dozens of fake profiles were created in order to carry out this large-scale operation and provide information to the terrorist organization Hamas.
- In December 2023, the Israeli internal security agency, Shabak, revealed an online intelligence campaign carried out by Iranian agents aiming at recruiting Israelis for espionage purposes via social media. They operated on platforms like X, Telegram, WhatsApp, Facebook, and Instagram. The tasks assigned to the recruited Israelis included photographing locations and verifying addresses, all in exchange for money. Iranian digital activities have intensified since the outbreak of the Israel-Gaza War on October 7.
Cyber Intelligence Operations: Tracking IoT Devices
For almost 20 years, smartphones have become essential to our lives. However, the rapidly growing market for devices, applications, and services with geolocation capabilities poses a significant risk to soldiers in war and conflict zones. Smartphone attacks aimed at tracking and collecting information on soldiers and senior officials have become commonplace. Geolocation data from such attacks is often sold to commercial data brokers and then resold to individuals. This way, a nation-state entity that engages in espionage can access databases and select phones that may belong to soldiers. A soldier's smartphone can be geolocated in two ways, including the following:
Cellular Network: When a smartphone is turned on, it connects to the nearest cell tower. This sends a signal to the cellular network operator, which can track the phone's location.
GPS: GPS is a satellite navigation system that can accurately determine a device's location. Most smartphones have built-in GPS receivers, which can track the phone's location even if it is not connected to the cellular network.
Over the past years, several hacking operations against Internet of Things (IoT) devices used by military personnel were carried out, including the following:
- In April 2022, the cybersecurity firm Cybereason discovered that the Hamas-affiliated group APT-C-23 was involved in a sophisticated cyber-intelligence campaign targeting senior Israeli officials. The group introduced new malware, including the VolatileVenom Android Trojan, the Barbie malware downloader, and the BarbWire backdoor.
- In June 2023, a cyber espionage campaign called Operation Triangulation was revealed. For approximately four years, an advanced persistent threat (APT) actor has been secretly stealing information from numerous iOS devices using a clickless exploit delivered through iMessage. Russia's domestic intelligence service (FSB) said the attacks were the work of the US National Security Agency (NSA) and affected thousands of Russian diplomats and others.
- In August 2023, Five Eyes intelligence agencies released a joint report on malware used by the Russian state-sponsored group Sandworm to target devices from the Ukrainian military. The Infamous Chisel malware was developed to periodically scan infected Android devices for information such as device details and data associated with commercial applications used by the Ukrainian military.
- In January 2024, hackers sent malware-embedded Signal messages that allegedly concerned the recruitment into the 3rd Separate Assault Brigade and the Israel Defense Forces to soldiers of the Armed Forces of Ukraine. According to the Ukrainian CERT, the messages contained archive files that, once executed, infected the computer with the RemcosRAT and ReverseSSH malware.
Reduced Use of Technology as a Way to Counter Cyber Intelligence Operations
One of the best ways to avoid detection or having data hacked and stolen in a war zone is to limit or not use technological means. The more actors on the battlefield have modern communication and Internet connections, the higher cyber espionage risks. Limited or no use of technological means can significantly reduce risks.
Russia has acted to reduce the risks of data leaks via spyware for several years. In 2013, the government even wanted to install electric typewriters to replace computers in certain similar services. Furthermore, as the war between Russia and Ukraine continues, the Russian government has intensified its efforts to take control of the Internet on its own territory. The Russian government strives to create its own Internet network, often called Runet, which would operate independently of the rest of the world and respect Russian laws.
More recently, Israeli intelligence revealed how Hamas managed to cover up the planning for the October 7 attack through old-fashioned counterintelligence measures. These measures, such as holding clandestine in-person planning meetings and abandoning digital wireless communications in favor of wired telephones in the tunnels, enabled Hamas to slip under Israeli electronic and cyber detection radars.
This use of archaic means in a so-called modern war allows us to understand better why Israel and the United States were so taken by surprise by the Hamas attack. This attack shows us that a limited use of new technologies makes it possible to avoid the risk of cyber espionage. In addition, it shows that cyber intelligence can only be truly effective if it is coupled with human intelligence on the ground, which makes it possible to obtain information directly from human sources, thus increasing the chances of acquiring quality and usable intelligence.
Written by Jeremy Makowski, cybercrime and terrorism intelligence expert. A researcher and lecturer, Makowski was a cyber intelligence officer at the Israeli Police and the IDF.
With cyberspace becoming the 5th battlefield, modern warfare must consider this threat and also know how to utilize the advantages it brings. Guest author Jeremy Makowski explains
Photo credit: BELGA via Reuters Connect
For several years, symmetrical and asymmetrical wars have been initiated in cyberspace, which, over time, became the fifth battlefield after land, sea, air, and space. Today, more than ever, cybernetic means are part of the attack arsenal used by both state armies and terrorist groups. In addition to offensive cyber operations, today’s modern conflicts include cyber intelligence operations as part of the strategy.
The civilian and military world is increasingly connected to numerous wireless devices (smartphones, smartwatches, tablets, GoPro cameras, CCTV, etc.), which opens up new opportunities for gathering intelligence on the enemy. Cyber intelligence operations are generally divided into several complementary activities, including OSINT, Cyber HUMINT, and the development and delivery of spyware. Cyber intelligence became, over time, a very useful method to collect information on targets, infrastructures, and troop movements on the ground. In armed conflicts, state-sponsored and terrorist groups use social engineering techniques, referring to psychological manipulation and deception, to obtain unauthorized access to sensitive military information, critical facilities, or resources for strategic purposes.
Social Networks and Applications
Cyber intelligence operations through social networks are a classic way of approaching people and gathering sensitive information. The intrinsic nature of social networks, whose primary purpose is to exchange and publish information relating to personal and professional life, makes them an ideal hunting ground for many hacker groups or intelligence services.
Threat actors affiliated with Iran, China, Russia, or even terrorist groups such as Hamas or Hezbollah regularly use social networks as a vector to establish close relationships with their targets. They create fake profiles, generally of attractive women, on main social networks like LinkedIn and Facebook, which enable them to abuse human weakness and manipulate key people to infect them with spyware. The following recent events illustrate the use of social networks and applications in cyber intelligence operations:
- In August 2023, it was reported by the German newspaper Welt am Sonntag, and confirmed by the German military counter-espionage service, MAD, that Russian intelligence agents were specifically looking on the dating application Tinder for politicians and members of the German armed forces attempting to recruit them.
- In November 2023, Israeli army spokesperson Daniel Hagari said that the IDF’s information security system thwarted an infrastructure of avatars that operated on social media to leak information about the forces and activities of the Israeli army. Dozens of fake profiles were created in order to carry out this large-scale operation and provide information to the terrorist organization Hamas.
- In December 2023, the Israeli internal security agency, Shabak, revealed an online intelligence campaign carried out by Iranian agents aiming at recruiting Israelis for espionage purposes via social media. They operated on platforms like X, Telegram, WhatsApp, Facebook, and Instagram. The tasks assigned to the recruited Israelis included photographing locations and verifying addresses, all in exchange for money. Iranian digital activities have intensified since the outbreak of the Israel-Gaza War on October 7.
Cyber Intelligence Operations: Tracking IoT Devices
For almost 20 years, smartphones have become essential to our lives. However, the rapidly growing market for devices, applications, and services with geolocation capabilities poses a significant risk to soldiers in war and conflict zones. Smartphone attacks aimed at tracking and collecting information on soldiers and senior officials have become commonplace. Geolocation data from such attacks is often sold to commercial data brokers and then resold to individuals. This way, a nation-state entity that engages in espionage can access databases and select phones that may belong to soldiers. A soldier's smartphone can be geolocated in two ways, including the following:
Cellular Network: When a smartphone is turned on, it connects to the nearest cell tower. This sends a signal to the cellular network operator, which can track the phone's location.
GPS: GPS is a satellite navigation system that can accurately determine a device's location. Most smartphones have built-in GPS receivers, which can track the phone's location even if it is not connected to the cellular network.
Over the past years, several hacking operations against Internet of Things (IoT) devices used by military personnel were carried out, including the following:
- In April 2022, the cybersecurity firm Cybereason discovered that the Hamas-affiliated group APT-C-23 was involved in a sophisticated cyber-intelligence campaign targeting senior Israeli officials. The group introduced new malware, including the VolatileVenom Android Trojan, the Barbie malware downloader, and the BarbWire backdoor.
- In June 2023, a cyber espionage campaign called Operation Triangulation was revealed. For approximately four years, an advanced persistent threat (APT) actor has been secretly stealing information from numerous iOS devices using a clickless exploit delivered through iMessage. Russia's domestic intelligence service (FSB) said the attacks were the work of the US National Security Agency (NSA) and affected thousands of Russian diplomats and others.
- In August 2023, Five Eyes intelligence agencies released a joint report on malware used by the Russian state-sponsored group Sandworm to target devices from the Ukrainian military. The Infamous Chisel malware was developed to periodically scan infected Android devices for information such as device details and data associated with commercial applications used by the Ukrainian military.
- In January 2024, hackers sent malware-embedded Signal messages that allegedly concerned the recruitment into the 3rd Separate Assault Brigade and the Israel Defense Forces to soldiers of the Armed Forces of Ukraine. According to the Ukrainian CERT, the messages contained archive files that, once executed, infected the computer with the RemcosRAT and ReverseSSH malware.
Reduced Use of Technology as a Way to Counter Cyber Intelligence Operations
One of the best ways to avoid detection or having data hacked and stolen in a war zone is to limit or not use technological means. The more actors on the battlefield have modern communication and Internet connections, the higher cyber espionage risks. Limited or no use of technological means can significantly reduce risks.
Russia has acted to reduce the risks of data leaks via spyware for several years. In 2013, the government even wanted to install electric typewriters to replace computers in certain similar services. Furthermore, as the war between Russia and Ukraine continues, the Russian government has intensified its efforts to take control of the Internet on its own territory. The Russian government strives to create its own Internet network, often called Runet, which would operate independently of the rest of the world and respect Russian laws.
More recently, Israeli intelligence revealed how Hamas managed to cover up the planning for the October 7 attack through old-fashioned counterintelligence measures. These measures, such as holding clandestine in-person planning meetings and abandoning digital wireless communications in favor of wired telephones in the tunnels, enabled Hamas to slip under Israeli electronic and cyber detection radars.
This use of archaic means in a so-called modern war allows us to understand better why Israel and the United States were so taken by surprise by the Hamas attack. This attack shows us that a limited use of new technologies makes it possible to avoid the risk of cyber espionage. In addition, it shows that cyber intelligence can only be truly effective if it is coupled with human intelligence on the ground, which makes it possible to obtain information directly from human sources, thus increasing the chances of acquiring quality and usable intelligence.
Written by Jeremy Makowski, cybercrime and terrorism intelligence expert. A researcher and lecturer, Makowski was a cyber intelligence officer at the Israeli Police and the IDF.
