Defence agencies are responsible for safeguarding nations and therefore can be expected to emphasise both physical and digital security for their own operations, as their security has a direct impact on national security. Nevertheless, defence agencies do get cyberattacked and analysing how such security-sensitive organisations are attacked helps enterprises understand where they should augment cybersecurity.

Attacks on Defence Agencies

Before we discuss augmentation of defences, let us first examine a few real-world cyberattacks against defence agencies:

Phishing Attacks

1. Fake Website Mimics Website of Indian Ministry of Defence

Phishing websites that were designed to impersonate the official website of the Indian Ministry of Defence were distributed through emails with an attachment titled ‘Hackers Targeted Defence Personnel in Mass Cyber Attack’ with the goal of stealing the login credentials of officials. The URLs included ‘mod.gov.in’ as part of their address to appear to be legitimate websites of the Ministry of Defence but examining the entire URL would reveal a different domain.

2. Email with Honey Trap Prevention Tips Links to Malware

An email impersonating the Ministry of Defence was sent to officials, claiming that a case study had been prepared containing contact information used to honey trap Indian officials and referred to the arrest of a DRDO employee for sharing sensitive information in a suspected instance of honey trapping. The email also linked to malware under the guise of providing an advisory with precautions against honey trapping.

Attacks on Contractors

1. Explosives Manufacturer Targeted by Ransomware Attack

The parent company of a defence contractor, which provided ammunition and multi-mode hand grenades and was involved in the manufacture of enhanced range rockets, suffered a ransomware attack. The threat attacker claimed to have stolen two terabytes of data which included information on employees, armament supply chains, partnerships, and warhead composition; blueprints and engineering documentation of the weapons; and records from production cameras.

2. Ransomware Strikes Engineering Firm with Contracts for Canadian Military Bases

A Canadian engineering firm, that has contracts with the Canadian Defence Department and also supports nuclear power plants and airports, was targeted by a ransomware attack. Defence services blocked emails from the engineering firm and switched to phone or in-person communication to prevent the attack from spreading.

3. Ransomware Attack on Navy Shipbuilder Disrupts Production and Leaks Information

The American arm of an Italian shipbuilding company, that builds combat ships and guided-missile frigates, suffered a ransomware attack that impacted welding, cutting, and other manufacturing machines that required information from servers to function. The attack also leaked the personal information of 16,769 people.

Similarly, an American subsidiary of an Australia-based defence contractor, that undertakes major U.S. Navy shipbuilding programmes, was hacked by a ransomware group that threatened to leak sensitive data.

4. Military Semiconductor Supplier Attacked

An American semiconductor manufacturing firm that supplies the military and makes chips for mission-critical applications had to isolate and shutdown several systems following a cyberattack that affected manufacturing and impacted the company’s ability to fulfil orders.

5. Defence Fence Supplier Hacked

The database of a supplier of fences and perimeter security for high risk sites was hacked, leading to information on British military and intelligence sites leaking online. Data leaked included information on a nuclear submarine base, a chemical weapon lab, equipment at GCHQ’s communications complex, security equipment at the base of an attack drones squadron, and a regiment dealing in electronic warfare.

Attacks on Technology Platforms

1. Hack of Third-party Payroll System used by UK’s Ministry of Defence

The personal information of UK military personnel was breached through the hack of a third-party payroll system. Breached information included names, addresses, and bank details of current and former members of the armed forces.

2. Ransomware Attack on Australian Defence Force Communications Platform

A ransomware attack targeted the provider of a communications platform that is used by the Australian Department of Defence, and required defence staff to change their passwords and use two-factor authentication.

3. Firewalls in Network of Defence Research & Development Projects Hacked

The Dutch Military Intelligence and Security Service (MIVD) revealed that a remote code execution vulnerability was used to launch malware to compromise cloud-native firewalls deployed to protect cloud spaces of many Western governments and international organisations, including companies operating in the defence industry. The malware was also discovered in the network used by the Dutch Ministry of Defence for unclassified research and development projects. The malware could intercept system messages and survive reboots and firmware upgrades, making it difficult to remove.

4. Military’s Satellite Communications Provider Attacked

A satellite communications provider used by Russia’s Ministry of Defence, ships of the Northern Fleet, the Federal Security Service (FSB), other security services, and tankers of energy companies, was attacked by hackers who damaged user terminals and disrupted the network for at least 14 hours.

Attacks Through AI Platforms

1. Philippines Defence Forces Stop Using AI Apps to Generate Portraits

The Philippines armed forces have been ordered to stop using AI-based apps to generate personal portraits, including apps that require users to submit multiple photos to generate digital personas that mimic speech and movement of real individuals. The order was issued as such apps pose significant privacy and security risks.

Analysis of the Attacks

By examining these attacks, we can understand that these attacks may take various forms but threat actors are determined and inventive in their efforts to compromise their targets.

Phishing attacks can be contextually relevant, e.g., the phishing email that spoke of honey trapping of officials was sent after such an incident made headlines, when it was most likely to attract attention. Phishing attacks can obtain information on officials which can lead to more targeted data gathering that may eventually lead to blackmail of defence personnel.

Defence contractors and suppliers are often targeted by cyberattacks, as they provide an indirect way to attack defence establishments. Critical information can be obtained through information on contractors e.g., hacking a supplier of fences may allow an adversary to sneak into a military base as they have detailed information of the fences that protect the base. Information stolen from contractors who manufacture armaments (or related equipment) can provide in-depth information on offensive and defensive capabilities.

Defence organisations undergo digital transformation just as much as their civilian counterparts, and digital infrastructure can be attacked for espionage, to obtain information on personnel (which can be used to understand skills and capabilities at different bases), and to interrupt or intercept communications.

Finally, use of AI, and other apps oriented towards consumers, by defence personnel can be weaponised to mimic officers or study troop deployments through location tracking.

Tactics that can be used to compromise a nation’s defence will be effective against enterprises as well, and we can learn how and where to augment cyber defences from these attacks.

Strengthening Cyber Defences

Phishing

Phishing can be avoided through a combination of technology and training.

1. All endpoints, including mobile devices, should be protected with cybersecurity that includes phishing protection, such as K7’s cybersecurity
2. Multi-Factor Authentication (MFA) should be deployed where possible to provide additional access protection
3. Staff should be trained on phishing tactics and to read messages (such as messages that reference recent news or require urgent action) with scepticism. Team members should also be trained to examine URLs carefully to ensure they are visiting official/genuine websites

Contractors

Vendors/3^rd parties that have access to enterprise data or networks can pose a threat to enterprise cybersecurity if they have been compromised. Businesses can protect themselves by

1. Mapping all the vendors that have access to enterprise digital assets
2. Stipulating vendor cybersecurity standards in contracts
3. Verifying that cybersecurity standards are maintained by vendors through periodic audits
4. Enforcing least privilege for 3^rd party access to enterprise digital assets, and revoking access once no longer required

Our blog Cybersecuring the Supply Chain provides a detailed discussion on cybersecurity for contractors.

Technology Platforms

Technology platforms can be considered to form a digital supply chain. The impact on a technology platform can have far greater impact than attacks on other vendors due to the extent of digitalisation of business operations. Enterprises must ensure that

1. All patches, including firmware updates for hardware, must be installed as soon as they become available
2. All machine identities must be listed, unnecessary identities should be removed, credential security must be verified, and rotation of credentials should be implemented
3. Technology solutions’ access to enterprise networks should be restricted through network segmentation to prevent lateral movement of attacks
4. Vendor’s commitment to cybersecurity should be verified by confirming their security standards, protocols, and certifications. The frequency of security audits and assessments, and the results from them, must also be scrutinised

AI Platforms

The use of AI by individual users is relatively new but the risks are already apparent. Supplying data to an AI model may constitute a data leak. AI hallucinations make AI output unreliable. Personal use of AI can also create risks in an enterprise context, as discussed above where the use of AI to edit portraits enabled convincing impersonation. Enterprises can enjoy the benefits of AI without compromising cybersecurity by

1. Training staff on acceptable and unacceptable use of AI, within the context of the data security regulations that the enterprise is subject to
2. Classifying data to identify which data can be provided to AI models
3. Blocking access to all AI tools that have not been vetted by the security/IT team
4. Avoiding use of agentic AI other than in specific contexts with careful monitoring
5. Educating users on how their personal use of AI can compromise enterprise security and their personal privacy

Enterprises must consider themselves as facing the same digital risk, and being equally targeted by threat actors, as defence organisations. K7 has worked with defence institutions and governments to augment national security and can draw on this experience to help you protect the digital infrastructure of your enterprise. Contact Us to learn more.