How nation-states exploit political instability to launch cyber operations

In this Help Net Security interview, Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry, discusses the impact of geopolitical tensions on the frequency and sophistication of cyberattacks. He explains how nation-states and politically motivated groups exploit unrest for strategic advantages, providing examples of recent conflicts and their cyber implications.

political instability cyber

How do geopolitical tensions directly affect the frequency and sophistication of cyberattacks? Can you give examples of how nation-states or politically motivated groups leverage this unrest?

Geopolitical tensions can directly influence the frequency of cyberattacks, as nation-states and politically motivated groups seek to exploit unrest for strategic advantage. Geopolitical instability increases the likelihood of severe cyberattacks, and unlike conventional warfare, cybersecurity has no physical borders, meaning that instability in one part of the world can lead to cyber threats and consequences in entirely different regions.

While the sophistication of these attacks doesn’t always increase, attackers frequently focus on high-value or strategically significant targets, such as governments, diplomatic entities, critical infrastructure, defense sectors, or other key areas. These targets can provide valuable intelligence or disrupt key operations, offering a tactical advantage in relation to the geopolitical tensions. Additionally, organizations within the supply chains of these high-value targets are also at risk, emphasizing the importance of monitoring geopolitical risks as part of each organization’s threat modelling.

We have seen numerous examples of how nation-states and politically motivated groups leverage political unrest to achieve their strategic objectives. A prominent case is Russia’s use of cyber weapons during its territorial invasion of Ukraine. This ongoing conflict has highlighted that cyberspace is now an established and rapidly evolving domain of warfare, demonstrating how geopolitical tensions can drive sophisticated and targeted cyber campaigns.

Another compelling example is the territorial disputes in the South China Sea and the ongoing civil conflict in Myanmar, where China has employed cyber capabilities to gain a strategic advantage. Similarly, the long-standing conflict between India and Pakistan over the Kashmir region has led to cyber operations from both sides. In these contexts, cyber operations are used to gather intelligence, conduct surveillance, disrupt operations and undermine adversaries, reflecting a broader strategy to assert dominance and influence in regions marked by geopolitical instability.

Additionally, we have seen cyber influence operations aimed at election interference, such as those carried out by Russia and Iran ahead of the 2024 US presidential election. These actors have deployed tactics such as targeted hack-and-leak operations, disinformation campaigns, and fabricated media to manipulate public perception and undermine political candidates.

Why is the critical infrastructure sector such a lucrative target for threat actors? What vulnerabilities make it more susceptible to attacks like ransomware or espionage?

Critical infrastructure, like any mission critical asset, provides a uniquely high target value because so much is at stake when the system goes down. Economics of entire geographical regions can break down if a pipeline is disabled. These critical infrastructures aren’t inherently more susceptible to attacks, instead, because of the high target value, they are subjected to more rigorous targeting and exploitation.

An analogy would be operating systems. Windows is actually one of the safest operating systems run in production. Bugs and vulnerabilities are patched far faster than MacOS and other POSIX systems. Because Window’s market share is so high, the return from developing malware for windows is much higher.

Internal threats (e.g., employee errors, misconfigured devices) are critical in breaches. What are some of the most common internal security gaps that threat actors exploit, and how can organizations better address these internal vulnerabilities?

Internal threats refer to a broad range of security risks originating from within an organization. These threats can arise from various sources, including human error, vulnerabilities in the technology stack, misconfigured devices, insider threats, and other factors that may vary depending on the organization’s specific background or industry.

Some of the most common internal security gaps exploited as part of breaches fall under categories.

Human error

Human error represents a significant internal security risk that threat actors frequently exploit. This category includes unintentional mistakes made by employees, such as falling victim to phishing attacks, business email compromise (BEC), misconfiguring devices, and careless handling of sensitive data—such as misplacing documents. Other examples include ignoring security protocols, being susceptible to social engineering tactics, and neglecting software updates.

Human error will always remain one of the biggest attack vector for organizations, making it essential to implement robust mitigation strategies. Adopting a defense in depth approach ensures multiple layers of security, while a zero-trust model mandates strict verification for every entity, user, app, service or device accessing resources, limiting the impact of potential mistakes. Security awareness training will help better equip employees with the knowledge to recognize phishing attempts, social engineering tactics, and the importance of adhering to security protocols.

Credentials

One of the most exploited internal security gaps involves the poor management of user credentials. Attackers often target weak or stolen credentials to gain initial access to systems. Common methods of exploitation include brute-forcing weak passwords, credential stuffing (using compromised credentials from previous breaches), credential spraying (testing common passwords against many accounts) or failing to properly deactivate accounts for former employees.

To mitigate this risk, organizations should enforce strong password policies, including multi-factor authentication (MFA) and regular password rotations. Implementing a zero-trust security model, which limits user access to only what is necessary for their role, can further reduce potential damage from compromised credentials. Regularly auditing and removing inactive accounts ensures that former employees or unused accounts don’t become a liability.

Vulnerabilities

Organizations have unique infrastructure needs, which may be managed internally or through third-party providers. Both options carry their own risks. Internal vulnerabilities in an organization’s IT infrastructure pose significant security threats, often arising from outdated or unpatched software and poor configurations that attackers can exploit for unauthorized access or code execution. Additionally, relying on third-party infrastructure or tooling can expand an organization’s attack surface while limiting control, as evidenced by numerous supply chain attacks in recent years.

Threat modelling is essential for identifying critical assets and potential attack vectors, guiding organizations in prioritizing their efforts. To mitigate these vulnerabilities, organizations should adopt a proactive vulnerability management strategy that includes regular security assessments and automated vulnerability scanning. While patch management can be challenging due to potential operational disruption, it is crucial that high-priority targets are considered higher priority for patching. Additionally, secure configurations and regular audits help maintain compliance with security best practices, effectively reducing the attack surface.

What are some of the most concerning emerging threats, such as deepfakes or sophisticated phishing campaigns? How can companies prepare themselves for these attacks?

Threat actors are always looking for the next ploy and/or scheme to increase their chances of a successful cyber-attack. Most threat actors are driven by financial gain, often seeking out new ways (abusing deepfakes) and evolving already leveraged means (like phishing).

Though abused for decades, in recent years we’ve witnessed an evolutionary leap in the complexity of phishing. Advances include the sophistication of fraud conducted by spear-phishing individual high-value targets (HVT’s) and vast improvements in mimicking the authenticity of said phishing emails.

Ploys around phishing and other social engineering attacks rely on the point of failure being the human aspect of an organization. Threat actors are now spending more effort on crafting their lure, conducting intelligence gathering of their target(s) and developing means to bypass the outer most layers of one’s business. This shift in focus is nearly the inverse of previous efforts which relied on mass spamming large-scale email lists with more generalized lure.

Additionally, the abuse of deepfakes within cyber-attacks and digital fraud have exploded in recent times, no longer being a proof-of-concept or hypothetical. Over the last 12-months a range of fraud relying on deepfakes has financially swindled millions from businesses around the globe. Threats involving deepfakes are often coupled with initial access or deception through business email compromise (BEC), not to dissimilar to phishing, deepfakes rely on the point-of-failure being the human.

Advances in this space are rapidly evolving and protection against such attacks are limited. Given the technology is there, the complexity and resources required to pull-off a highly advanced deepfake scam or fraud is currently the largest blocker for malicious actors. However, as the technology advances and resources required lower, so too does the barrier of entry into this quagmire of even novice threat actors weaponizing deepfakes in their scams.

For preparation, best security practices and user-awareness is quintessential when dealing with both threats. Cyber-hygiene and user-training on topics like phishing and correct internet etiquette will often result in greater awareness and better decision making by employees.

Many attacks target supply chains to cause widespread disruption. What steps can organizations take to secure their supply chains from cyberattacks, and how can threat intelligence help identify potential supply chain vulnerabilities?

Cyber-attacks on the supply chain are certainly not a new phenomenon, in fact they occur with relative regularity from year to year with the 2020 SolarWinds attack being one of the most notable. When an attack is perpetuated against an entity within the supply chain, it essentially causes a ripple effect with all those other entities that are dependent on the supply chain being affected in some capacity also.

This one-to-many relationship means an attack on one often leads to a far larger and widespread impact on many others. A layered defense is a necessity when defending against such attacks. This would include components such as a regular secure code review process, digital certificate signing and review and a well-resourced and at the ready Product Security Incident Response team (PSIRT). Coupled with this, one of the most important elements would be access to up to date and detailed threat intelligence data which would feed into and fuel each of the other defensive mechanisms.

This would include data surrounding the identification of cyber-criminal activity and tactics, techniques, and procedures (TTPs) which could act as an early warning system for those threat actor targeting supply chains, the monitoring of deep-web forums for intel related to vulnerabilities that affect the supply chain, initial access brokers (IABs) that are offering access to entities within a supply chain, analysis of Geopolitical risks, and the flagging of vulnerabilities within 3rd party of open source software, which is frequently a component of intricate supply chain networks.

By utilizing threat intelligence, institutions can greatly help find and mitigate potential vulnerabilities that lay within their supply chains, which would go a long way in enhancing their overall defensive posture and thus reduce the risk of a cyberattack.

Don't miss