There have been almost 500 documented geopolitical cyber attacks around the world since 2009. Making cyberwarfare a major technological threat to nations and their citizens.
In this article, we hope to break down some of the numbers and gain insight into the nature of these attacks, where they originate from, and who they’re targeting.
Between 2009 and 2018 there was a 440% increase in global documented attacks.
The biggest increase in the number of attacks occurred in the last four years, with 2019 on-course to be the biggest year ever for geopolitical cyber attacks.
Global cyberwarfare attacks
The data combines state attacks on other states, individual and group attacks on states, and state attacks on internal individuals and groups.
By far the biggest actors on this scene are China and Russia, with almost 35% of Global attacks originating in either China or Russia. There have been 79 confirmed attacks on national governments that have originated in China, and 75 in Russia.
Next is North Korea and Iran, sharing 16% of global attacks, followed by the USA, where 3% of global attacks originated.
It’s extremely important to remember here, that due to the very nature of cyberwarfare and cyberespionage, many attacks go under the radar, so we don’t tend to hear about them.
Sources of cyberwarfare attacks excluding unknown
An interesting case is the apparent use of the Eternal Blue vulnerability that the NSA developed tools to exploit. These tools were detected by China and subsequently used during the massive ransomware attack on Baltimore in 2019. Of course questions have to be asked of the NSA, but – Microsoft patched this vulnerability in 2017, and Baltimore officials simply ignored it and failed to update their computers.
Now, it wasn’t until the NSA discovered that their tool had been used to develop ransomware that they alerted Microsoft to the critical vulnerability, so without that we would never have known about their attacks on China.
Between 2009 and 2019 there have been 79 documented cyber attacks carried out by Chinese state-sponsored attackers, targeting 20 countries.
Evolution of attacks attributed to China
Targets of Chinese attacks
32% of China’s attacks were directed at the USA, making the USA by far the biggest target for Chinese hackers.
Hong Kong is also a frequent target of Chinese hackers, including (allegedly) the Telegram DDoS hack during the 2019 Hong Kong anti-government protests.
Chinese hacking efforts increased significantly in 2018, and continue to do so in 2019.
Russian attackers targeted 19 countries in 75 incidents between 2009 and 2019.
The main target of Russia was the USA, but they also attacked 8 European Union countries, including a series of attacks on the German parliament.
Ukraine was also targeted frequently by Russia, suffering at least 9 attacks between 2017 and 2019, and several more attacks thought to be of Russian origin, such as the December 2015 attack on the country’s power grid, that shut down electricity supplies to residents of Kiev.
Evolution of attacks attributed to Russia
Russia quickly became highly active after 2014, with 47% of Russian attacks over the past decade being carried out in 2018.
Targets of Russian attacks
North Korea carried out 32 attacks against 9 countries between 2009 and 2019, with more than half occurring in 2017 and 2018.
12 North Korean attacks were against South Korea, including the December 2018 hack of the Hana refugee center, in which the personal data of over 1000 North Korean defectors was accessed.
North Korean attacks have also been aimed to circumvent UN sanctions in order to raise money for the country’s nuclear program.
Evolution of attacks attributed to North Korea
Targets of Nork Korean attacks
Iran targeted 7 countries in 31 attacks, with 42% aimed at the USA.
Iran targeted Israel a number of times, including the March 2019 hack of former IDF cheaf and opposition leader Benny Gantz’ cellphone ahead of the parliamentary elections.
Other incidents originating in Iran include the June 2017 attack on British members of parliament, in which official email accounts were hacked, and the June 2019 hack of telecommunications services in Iraq, Pakistan, and Tajikistan
Evolution of attacks attributed to Iran
Targets of Iranian attacks
The USA has been the source of at least 12 global cyber attacks over the past ten years, with half of those occurring in 2019.
Three of the known attacks originating from the USA targeted North Korea, with China and Iran being attacked twice each.
Chinese technology giant Huawei has been at the centre of controversy since early 2019 when the US government accused the firm of conducting espionage against American companies on behalf of the Chinese government. Huawei later accused the United States of attempting to infiltrate its networks and harassing its employees.
We also know of controversial ongoing cyber attacks on the Russian power grid, in what’s said to be a deterrent to Russia. Critics of the methods used say it risks making public utilities a legitimate target, and that the tactic could escalate quickly to a cold-war scenario.
Whilst the known attacks carried out by the USA are low, it is likely that there are many ongoing situations yet to be discovered.
Evolution of attacks attributed to the USA
Targets of USA attacks
Targets of cyberwarfare attacks excluding unknown
The USA has been attacked a far greater number of times than any other nation, with 115 documented attacks originating in at least 7 countries.
Germany and South Korea each suffered at least 16 separate incidents, with attacks on Germany mainly originating in Russia and China, and those targeting South Korea originating in China and North Korea.
India was attacked mainly by Pakistan and China, while Ukraine was solely targeted by Russia.
The United Kingdom was attacked by Iran, China, Russia, and North Korea.
Attacks against the USA have grown steadily over the past decade, with a sharp increase in 2017, which was almost doubled in 2018.
More than 50% of attacks targeting the USA originated in China or Russia, with a further 27.8% of unknown origin.
In July 2019 Microsoft reported that they had issued almost 800 notifications to political campaigns, NGOs, and think tanks of cyber attacks originating in Russia, China, Iran, and North Korea.
Evolution of attacks targeting the USA
Attackers targeting the USA
Germany was attacked 16 times between 2009 and 2019, with 37.4% being attributed to Russia.
Russian hackers stole 16GB of data from the German parliament during a series of attacks against the country, in 2018. The attacks were first discovered by British and Dutch intelligence agencies. Russia denies the accusations.
German politicians were also targeted in 2019, when sensitive data of hundreds of public figures was published via Twitter in one of the biggest attacks against the country.
Evolution of attacks targeting Germany
Attackers targeting Germany
75% of attacks against South Korea were of North Korean origin, with at least 12 attacks coming from the rogue state. A further three attacks came from China, and one of unknown origin.
In 2011, Chinese hackers accessed personal data of 35 million South Koreans. The hack followed a series of Chinese attacks on South Korean financial institutes.
Attacks against South Korea have been occurring steadily over the past decade, with a slight increase in frequency after 2016.
Evolution of attacks targeting South Korea
Attackers targeting South Korea
Attacks against the UK originated in China, Russia, Iran, and North Korea, along with one third of attacks being untraceable or of unknown origin.
In 2018, the so-called WannaCry attack targeted the UK’s National Health Service, crippling networks and costing the NHS £20m to clean up and a requiring a further £72m in upgrades to the network.
This attack used the same vulnerability discovered but not disclosed by the NSA.
— Edward Snowden (@Snowden) May 12, 2017
Evolution of attacks targeting the UK
Iran has been seriously stepping up their cyberwarfare game in the past couple of years. The December 2018 attacks on the UK targeted government institutions and private companies, and resulted in the loss of thousands of employees personal details.
Attackers targeting the UK
Out of a total of 14 major cyberwarfare attacks on India in the past decade, five were of unknown or undisclosed origin, while four each came from China and Pakistan, and one from North Korea.
One of the biggest data breaches in history occurred in 2018 when the Unique Identification Authority, India’s biometric ID system, was hacked and the personal data of over 1 billion people sold online.
Evolution of attacks targeting India
Attackers targeting India
Some countries come up time again as the source of cyberwarfare incidents, and some certainly seem to have their favourite target.
Between 2009 and 2019, Russia, China, and Iran attacked the USA a total of at least 72 times, accounting for around 15% of global attacks.
South Korea was attacked by North Korea on at least 12 occasions, and Ukraine by Russia at least 9 times.
It’s not just states attacking other states that we see, but also a rapid rise in internal attacks either carried out by the state on the people, such as in Egypt, or against the state by the country’s nationals.
A hacker group with members from the USA was charged with the 2016 Securities and Exchange Commission breach, in which the group gained access to a filing system and used the information o make $4.1M in illegal trades.
Colleagues and friends of murdered journalist, Javier Valdez, were targeted by a Mexican government agency using spy tool Pegasus. Starting in 2016, many of Mexico’s most prominent journalists were targetted, especially those that held the nation’s leaders accountable to the people.
From 2016, a team of former US government intelligence operatives working for the UAE hacked into the iPhones of activists, diplomats, and rival politicians. The attack wasn’t aimed solely at those in the country. Attackers used Karma – a tool developed by the US intelligence service.
Human rights activists and journalists were targeted in a spear-phishing campaign carried out by the Egyptian government. The attack used social engineering to trick targets into allowing a third party app to access their account using the user’s Gmail OAuth token. Once authorised, the attackers retain access even if the target changed their password.
Cybersecurity research organisation Checkpoint discovered that Iranian government agencies had targeted Kurdish and Turkish natives in Iran, along with suspected ISIS supporters, with spyware in order to collect sensitive information including phone call records, SMS, browser history, geo-location history, photos, videos, and more.
Protesters in Turkey were targeted in 2018 by the government, using spyware developed by FinFisher. The spyware was aimed at activists, journalists, and members of the public involved in the March for Justice movement.
Attackers allegedly working for the Vietnamese government hacked computers of journalists, bloggers, and international workers in the country as part of a cyberespionage program denied by the government.
Personal information of more than 50 million Filipinos was exposed after the countries electoral records database was hacked. The data, that included highly personal data including fingerprints, was stolen by the Anonymous Philippines group.
Right wing groups in the Czech republic hacked the Prime Minister’s Twitter account and posted anti-immigrant messages, calling for a “White revolution”.
Cyberwarfare is an rapidly increasing threat across the globe, with documented attacks targeting 56 countries in the past 10 years. Using state of the art technologies, military and government agencies are focusing more and more resources on offensive and defensive mechanisms for cyberwarfare and geopolitical attacks.
The technology required for sophisticated cyber attacks is becoming more ubiquitous. As a result, it can only be assumed that the current trend of increasing frequency of cyberwarfare attacks will continue upward, and new state actors will continue to appear.