Cyber espionage threat landscape

From the Threat Landscape 2023, European Network and Information Security Agency (ENISA)

• Ransomware and threats against availability ranked at the top during the reporting period.

• Resourceful threat actors have been observed to misuse legitimate tools primarily to prolong their cyber espionage operations. Their aim was to evade detection for as long as possible and obscure their activities by using widely available software from most systems which makes it more challenging for defenders to identify them. Maximizing their chances of success when it comes to an intrusion by not arousing victim’ suspicions.

Geopolitics continue to have a strong impact on cyber operations.

Phishing is once again the most common vector for initial access. But a new model of social engineering is also emerging, an approach that consists of deceiving victims in the physical world.

• Business e-mail compromise (BEC, VEC) remains one of the attacker’s favourite means for obtaining financial gain.

• Threat groups have an increased interest in supply chain attacks and exhibit an increasing capability by using employees as entry points. Threat actors will continue to target employees with elevated privileges, such as developers or system administrators.


Understanding the enemy and the motivation behind a cybersecurity incident or targeted attack is important because it can determine what an adversary is after. Knowing the motives can help organisations determine and prioritise what to protect and how to protect it. It also provides an idea of the intents of attackers and helps entities focus their efforts in defence on the most likely attack scenario for any particular asset.

Five distinct kinds of motivation that can be linked to threat actors have been defined:

1. Financial gain: Any financially related action (carried out by mostly cybercrime groups).

2. Espionage: Gaining information on IP (Intellectual Property), sensitive data, classified data (mostly executed by state-sponsored groups).

3. Disruption: Any disruptive action done in the name of geopolitics (mostly carried out by state-sponsored groups).

4. Destruction: Any destructive action that could have irreversible consequences.

5. Ideological: Any action backed up with an ideology behind it (such as hacktivism).

It is apparent that in the majority of cases the primary threats can be attributed to one or more motivations, with certain motivations emerging as more dominant than others. Within the realm of Ransomware attacks, while the primary motivation typically revolves around financial gain, there is a small percentage where a disruptive motive also plays a role.

For a considerable number of the events we have gathered, the motivation behind them remains unclear. This lack of clarity could be due to either limited or undisclosed information or the victims themselves being unaware of the underlying motive.

From the Situation Report of the Swiss Federal Intelligence Service, 2023 (Lagebericht des Nachrichtendienstes des Bundes)

Cyber lessons from the war against Ukraine

Although the war against Ukraine has had little impact on the cyberspace of Switzerland or other states, we can draw certain lessons from it for 2023. The war has shown where cyber can be used as a tool and where the limits lie:

▪ In the war against Ukraine, cyber is used chiefly for information operations or for tactical attacks on means of communication used primarily for military purposes.

Cyber attacks accompany kinetic attacks in order to strengthen their impact. For example, cyber tools can be used to temporarily disrupt the communications or infrastructure of emergency services in the target area, in order to slow down the follow-up assistance.

As far as intelligence is concerned, activities will continue to increase. Depending on the interests of the attacker, such activities might also target critical infrastructure operators. This is typically due to the attacker’s increased need for information about the opposing side, but may also be used as a compensatory measure by the attacker where there has been a reduction in the number of intelligence staff deployed in the target countries.

In the interest of the warring parties, groups have formed which defend their own infrastructure but whose principal aim is to inflict damage on the opposing side in the cybersphere.

Ukraine has issued an official appeal for volunteers to join the IT Army of Ukraine. At the same time, pro-Russia groups such as KillNet have formed.

These non-state actors will continue in future to present a threat to e.g. critical infrastructure, as they are not always under the direct control of one of the two warring parties and consequently operate based on their own target identification.

Cyber espionage, from the Canadian Security Intelligence Service

Espionage and foreign interference pose a significant threat to our economic prosperity and national interests.

Acts of espionage and foreign interference can put Canada at a disadvantage, enabling foreign countries and organizations to further their own strategic interests, at Canada’s expense.

Certain hostile states attempt to gather Canadian political, economic, and military information through clandestine means, both in Canada and abroad, in order to advance their states’ own strategic interests. While many people associate espionage with the collection of ‘top secret’ information, state actors are interested in a range of information, including privileged and sensitive information, as well as intellectually protected information, like patents.

Canada’s advanced industrial and technological capabilities, combined with expertise in certain sectors, make it an attractive target for foreign intelligence services. Sectors of the Canadian economy that continue to be of particular interest to hostile intelligence services include: aerospace, biopharmaceutical, biotechnology, chemicals, communications, healthcare, information technology, mining and metallurgy, nuclear energy, oil and gas, as well as the environment.

Acts of foreign espionage represent a long-term threat to Canada’s economy and our collective prosperity.

The CSIS Act describes Foreign-Influenced Activities, commonly known as Foreign Interference, as “activities within or relating to Canada that are detrimental to the interests of Canada and are clandestine or deceptive, or involve a threat to any person.”

Foreign Interference involves foreign countries or entities attempting to covertly influence change in Canada, to better suit their strategic interests. As any country with a large multicultural population, Canadian communities are subject to clandestine and deceptive manipulation by certain foreign powers.

In many cases, clandestine influence operations are meant to support foreign political agendas or to deceptively influence Government of Canada policies, officials or democratic processes. This can include election interference, spreading disinformation on social media, and the cultivation of influential people. These threats exist at all levels of government, including federal, provincial, and municipal.

Foreign Interference, Common Techniques

Foreign interference techniques or activities can include (but are not limited to): elicitation, cultivation, coercion, illicit financing, cyber attacks, intimidation and disinformation.

Elicitation results when a targeted person is manipulated into sharing valuable information through a casual conversation.

Cultivation is a technique of building long-lasting relationships with targeted persons to enable manipulation and facilitate threat activities.

Blackmail and threats are two of the most aggressive types of recruitment and coercion. Intimidation is also commonly used to silence dissent, including on university campuses, and to instill fear and compliance among various Canadian communities.

Cyber attacks such as spear-phishing can be used to introduce malware into your system as a means of collecting information to support foreign interference activities.

Disinformation can be used by foreign actors to influence public opinions, perceptions, decisions and behaviours.

A growing number of states have built and deployed programs dedicated to undertaking online influence as part of their daily business. Adversaries use online influence campaigns to attempt to change civil discourse, policymakers’ choices, government relationships, and the reputation of politicians and countries both nationally and globally.

Cyber espionage, from the Finnish Security and Intelligence Service (SUPO)

Cyber espionage is a potent and inexpensive way to access a significant volume of information that is intended to be confidential. The target of a cyber espionage operation will not necessarily be aware of this activity.

Supo is also responsible for combating the online espionage of foreign powers. One aim is to increase public awareness of online threats, and Supo accordingly works to prevent cyber espionage by such means as arranging training for people who maintain critical infrastructure, for businesses involved in ensuring emergency supplies, and for key staff members in central government.

Cyber espionage can target individuals.

State-run cyber espionage operations may involve hacking into information systems via a technical vulnerability, or exerting pressure on dependent hardware or software suppliers to access the data of their foreign customers with a view to obtaining confidential information.

Preventing the exploitation of IT vulnerabilities requires continuous data security work and a realistic security architecture. The risk associated with hardware or software supplied from countries that actively engage in espionage targeting Finland must be managed from the initial procurement stage.

Everyone working in a significant position and handling important information should appreciate that they may become a target of the intelligence operations of a foreign power. State-sponsored operators may also focus their cyber espionage campaigns on private individuals and public servants.

Even though cyber espionage has emerged as a new threat, this does not diminish the importance of human intelligence. With basic intelligence now obtained more efficiently from information systems, it has become possible to target human intelligence more precisely.

It is worthwhile to ensure the information security of your network devices Supo has observed that the intelligence services of authoritarian states have been exploiting network devices and servers of Finnish individuals and businesses in cyber espionage operations.

It pays to review the passwords and information security settings of routers and other devices connected to your network at home. Home routers and network storage systems are the most typical hacked hardware devices, but also cameras and different home appliances can be connected to the Internet.

You can find practical information on how to improve the information security of your network devices from the National Cyber Security Centre’s web page.

From the US Cybersecurity and Infrastructure Security Agency (CISA) - Defining Insider Threats

Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. Defining these threats is a critical step in understanding and establishing an insider threat mitigation program. The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as the threat that an insider will use their authorized access, intentionally or unintentionally, to do harm to the department’s mission, resources, personnel, facilities, information, equipment, networks, or systems. Insider threats manifest in various ways: violence, espionage, sabotage, theft, and cyber acts.

What is an Insider?

An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.

Examples of an insider may include:

- A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.

- A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).

- A person to whom the organization has supplied a computer and/or network access.

- A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.

- A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.

- A person who is knowledgeable about the organization’s business strategy and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.

- In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.

Insider behaviors:

- Espionage

- Terrorism

- Unauthorized disclosure of information

- Corruption, including participation in transnational organized crime

- Sabotage

- Workplace violence

- Intentional or unintentional loss or degradation of departmental resources or capabilities