cyber intelligence, cybersecurity, Uncategorized

Forecasting Heightened Malicious Cyber Activity with Event Data

By Dr. Andrea Little Limbago, Chief Social Scientist at Endgame


The recent revelation of Russian government hackers infiltrating the DNC’s network and stealing opposition research should not come as a surprise. Nor should the DNS attack on various .gov sites claimed by the Turk Hack Team, which started on July 17 as Turkey responded to the coup. The connection between geopolitics and heightened malicious cyber activity is a global phenomenon. Despite widespread global variation in information technology infrastructure, the use of the digital domain as the modus operandi to achieve various political, social and economic objectives is universal. INSA’s Strategic Cyber Intelligence White Paper articulates well the necessity of geopolitical insights as part of strategic cyber intelligence. The political and economic conditions inform more dynamic and relevant risk-based, strategic decisions when coupled with the more traditional INFOSEC data. Nevertheless, many organizations still focus solely on the technical aspects of cyber indicators and warnings (I&W) frameworks and fail
to consider how geopolitical events impact their cyber risk – both at home and abroad. There is a wide range of events that can trigger malicious cyber activity – and thus an organization’s probability of increased targeting. Some key events that should receive additional Strategic_clockprecautions include elections, sporting events, global summits, disasters, domestic unrest, and demonstrations of geopolitical tension.



Cyber criminals tampering with elections is not merely a concern in the United States, but is a global phenomenon and is likely only going to grow as elections increasingly become digitized. For example, prior to elections, the Ukraine election system was attacked with a virus intended to delete the election results. The Miami-Dade Elections Department in Florida similarly experienced increased malicious activity, but instead was the target of ‘phantom absentee ballot’ requests. The targets do extend beyond organizations associated with the election. The hack on the Philippines Commission on Elections exposed the personally identifiable information of 55 million citizens. In Africa, countries as diverse as Ghana, Ethiopia, and Republic of Congo have started censoring social media during the election season, but in many cases it expanded to also blocking mobile money transfer sites, thus having both an impact on freedom of speech as well as economic well-being.


Sporting Events

International sporting events from the Olympics to the World Cup tend to see spikes in malicious digital activity.  This ranges from an increase in phishing scams for fraudulent tickets or sports packages to more targeted attacks on the financial or government sectors. For instance, the 2014 World Cup in Brazil was a major target, leading to data theft and website jamming. Following, the India-Pakistan cricket match in the Asia Cup, a university was hacked following student celebrations of the match. Both the Copa Americana and UEFA Euro 2016 are targets of widespread financial scams, especially through adware and fraudulent aps. The Olympics have seen an increased spike, with a rise in phishing attacks and adware linked to the games.


Global Summits

Gatherings of global leaders have always been a prime target for activism and dissent, as well as espionage, so it’s no surprise that this translates now into the digital domain. Almost twenty years ago, over 10,000 multinational, coordinated attacks targeted companies protesting the Cologne G8 summit. More recently, the 2014 G20 summit in Brisbane placed the city on heightened security alert, including cybersecurity. As one CERT expert noted, “Where we sit, and what threats are coming through, the G20 is as big as it gets, and everything could be at risk’’. Similarly, July’s NATO meeting coincided with disruption of their websites, with many placing the blame on cyberattacks from Russia.



Both natural and man-made disasters may instigate a spike in malicious activity of many different forms. Following Hurricane Sandy, there was an increase in phishing scams claiming to assist victims. Criminals similarly exploited the Nepalese earthquake with an onslaught of scams and malware pretending to support victims. The exploitation of catastrophes for financial gain is increasingly common, but is not the only kind of natural disaster-driven malicious digital activity. Depending on the country, natural disasters may also prompt government-directed activity to conceal domestic discontent. For instance, in 2014, the Serbian government heightened online censorship due to public outrage over the government’s handling of the disaster. This is not limited to only natural disasters, but man-made ones as well. Following the 2011 train crash in China, the government tightened censorship controls to squash the very vocal opposition to the government over its handling of the crash. In fact, the anniversary of the crash also triggered a spike in censorship.


Domestic unrest

While the Arab Spring is more well-known for the role social media played in supporting the protests, domestic instability also prompts authoritarian governments to turn entire countries dark. Both Egypt and Libya went completely offline for hours as the instability increased and the governments sought to maintain control. In Syria, the causality between unrest and internet outages is bi-directional. The Assad government employs outages as a form of repression, which is followed by an increase in conflict. In each of these cases, internet outages contribute to state repression, and impact people and organizations throughout the country.

This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist.

Geopolitical tensions

While domestic unrest has more widespread impact on anyone within the country, geopolitical tensions tend to produce more targeted, and escalatory, malicious digital activity. For instance, the Syrian Electronic Army has targeted media and social media sites, instigating DDoS and phishing attacks, targeting the New York Times, Twitter, and The Washington Post, among many organizations. Iran also targets companies for their geopolitical stance, including the attack on the Las Vegas Sands Corporation, whose CEO has been an ardent supporter of Israel. The destructive cyberattacks on the Ukraine power grid and the German steel mill also are linked to international tensions, and specifically are indicative of Russia’s unimpeded and expansive targeting of Western organizations. Finally, as regional tensions rise, so too do tensions in the digital domain. The South China Seas disputes between China, the Philippines and Vietnam continue to prompt an increase in cyberattacks. In this regard, “Whenever you see island-dispute issues flare up you also see cyber activities spike as well.” Finally, a shift in foreign policy linked to these tensions similarly can elevate the occurrence of cyber incidents. Following US sanctions against Russia, there has been a strong spike in targeted activity against US corporations. Iran similarly has been linked to spikes in cyber incidents – ranging from US banks to the NY dam – in response to sanctions.


I&W as More than an IT Framework

Despite geopolitical uncertainty and cyberthreats being a top concern for CEOs (as a recent PWC survey revealed), many still fail to see the interconnected nature of geopolitics and cyber activity. As a result, organizations too often fail to understand why they are targeted or how world events impact the risk calculus of nation-state and non-state adversaries.
This current status quo of treating geopolitics and cyberthreats as two separate issues is a losing strategy that cannot persist. As digital mechanisms are increasingly integrated as a tool of statecraft, their deployment is only going to expand in depth and scope as state and non-state actors use them to achieve their various political, economic, and social objectives. Thus, leaders of public and private organizations must analyze cyber risk as more than an IT issue, by implementing preemptive strategies that integrate the global and domestic landscape into their cyber risk assessments. These strategies should not just focus on targeted attacks on data and infrastructure, but also factor in business disruption thanks to more widespread censorship, outages, or DDoS campaigns.  At the strategic level, incorporating these event data, and framing them along with the range of malicious actors – such as nation states, criminal organizations, and terrorist groups – and their objectives could be a first step at a more holistic strategic I&W framework. By linking the events, along with actors and objectives, decision makers will receive greater insight into the timing and potential targets of the range of digital attacks. Political, economic, and social events provide another valuable stream of very visible and intuitive intelligence and must complement any approach to cyber I&W and risk assessments.


Previously posted here: