Cybersecurity challenges and solutions in the defence sector

In the following section, we present selected case studies highlighting the importance of an exemplary cybersecurity strategy within defence. Each study focuses on different threat actors, targets, or methods. Phishing is the most prolific method and accounts for around 90% of data breaches.

Military equipment manufacturers have been the target of hacking, with some cyberattacks affecting major international development programmes.

F-35 Lightning II (2007)

The F-35 Lightning II is a fighter aircraft incorporating cutting-edge technology, making it the world’s most advanced fighter. This has led to secrecy surrounding the manufacturing of certain elements of the aircraft. In 2007 a data breach occurred at Lockheed Martin that allowed Chinese hackers to gain access to information around the production of key F-35 components. Hackers are reported to have favoured spear-phishing techniques, which involved accessing email accounts and passwords to breach secure networks. 

This information was revealed in 2015 in the release of classified documents by Edward Snowden. These documents outlined the strategy of the hackers, which focused on acquiring the radar design (the number and types of modules), detailed engine schematics (methods for cooling gases, leading and trailing edge treatments, and aft deck heating contour maps), and much more. The document describes in detail how many terabytes of data surrounding the F-35 joint strike fighter program were stolen. This series of suspected thefts has been dubbed the ‘Byzantine Hades’ by US officials and is alleged to have informed the new Chinese advanced fighter aircraft; the J-20 and the J-31. These models are predicted to be ready for operational service in 2024. 

Rubin Design Bureau (2021)

More recently, in 2021, hackers targeted the major Russian defence contractor Rubin Design Bureau. The attack came in the form of a spear-phishing email that contained an image file with malicious software called ‘Royal Road’ embedded within it. This was then intended to create a portal called ‘PortDoor’, through which hackers could access the wider network and gain intel on the design of nuclear submarines. 

On its website, Rubin Design Bureau claims to be responsible for 85% of all Soviet and Russian Navy submarines since 1901. A report by cybersecurity firm Cybereason did not identify the perpetrators however it did mention that the attack bore "all the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests”. 

Threat actors will often target third parties like IT management platforms or email servers because they often work with a multitude of companies. This means that they can breach many companies with just one attack.

SolarWinds Orion (2020)

The SolarWinds hack in 2020 was a major event in cybersecurity history because it triggered supply chain disruptions that affected thousands of public and private organisations, including the US government. SolarWinds Orion is an IT administration, monitoring, and management platform. 

A Russian nation-state actor called Nobelium, which was identified as part of Russia’s foreign intelligence service (SVR), attacked SolarWinds. It gained access to the systems and data of thousands of SolarWinds customers by inserting malicious code called SUNBURST into the SolarWinds Orion system.

The malicious code was then installed by the hackers into a new batch of software and distributed as an update. It was in March 2020 that Orion software, updated with this malicious code, was distributed unwittingly by SolarWinds. This method is often referred to as a ‘supply chain attack’, as a third-party system (like SolarWinds) is used so that hackers can impersonate users and accounts of victim organisations, totally undetected. 

Among those affected were US government departments such as Homeland Security, State, Commerce, and Treasury. The cybersecurity firm FireEye (now Mandiant) was the first to detect this attack and worked with GoDaddy to isolate and shut down the Orion updates that were known to contain the malicious code. They did this by turning the malicious code into a kill switch that shut down the software if used. 

Microsoft (2021)

Just a year later in March 2021, Microsoft’s enterprise email software was hacked to access the data of over 30,000 organisations worldwide. This was a zero-day exploit as the vulnerabilities had affected software released from 2012 onwards. This allowed the hackers to manipulate corporate servers and steal any information they wanted, such as contacts or calendars. 

Those affected included defence contractors, government agencies, legislative bodies, and policy think tanks. Microsoft confirmed with ‘high confidence’ that the hacking campaign made use of previously undetected vulnerabilities and credited the attack to a state-sponsored entity called HAFNIUM, operating out of China. In response to this attack, the Microsoft Security Response Center published guidance for responders to help them investigate and remedy on-premises Microsoft Exchange Server vulnerabilities. This helped each organisation understand the threat, check for vulnerabilities, mitigate the threat, check for breaches, take steps to remedy the breach, and get future guidance for IT protection and monitoring. 

Social media has become an increasingly important factor to consider for militaries and their cybersecurity strategy. Social media often tracks users’ locations and profiles are frequently filled with material that can indicate a user’s position. Profiles are often public or very easily accessible, and knowingly or not can lead to major cybersecurity breaches.

Strava (2017)

One of the most well-known social media mishaps was reported in 2018 when soldiers deployed in a military base in Afghanistan were discovered uploading their exercise routes to the fitness app Strava. In 2017, Strava released a map that showed every activity ever uploaded, with more than three trillion individual data points. In remote locations in Afghanistan, Djibouti, and Syria, foreign military personnel makes up the majority of Strava users, meaning that the bases that soldiers used to exercise around stood out brightly. The heatmaps were publicly available and revealed sensitive information about the location and staffing of the military bases and covert operations outposts.

Russo-Ukrainian War (2022)

In the ongoing invasion of Ukraine, social media has been a key theme. As well as the continuing effort to spread misinformation using social media, it has also been suggested that it is being used to gain military intel on soldiers’ positions and assets. This is a phenomenon occurring on both sides as many soldiers and civilians during the war have taken to using popular social media apps like TikTok to document the conflict. In March, Ukrainian authorities detained a Ukrainian man for sharing a video on TikTok of Ukrainian military vehicles parked near a shopping centre in the Podolsky area of Kyiv in February. In the same month, this shopping centre was destroyed by Russian shells, killing eight people. 

The Ukrainian Security Service has called upon citizens not to publish data on the Ukrainian Armed Forces or the results of enemy shelling but instead to pass on information concerning Russian troops. In Russia, security chiefs have launched a campaign to try and stop troops from giving away military intel using social media. 

LinkedIn (2016 to 2021)

In cybersecurity strategy, it is often agreed that humans, often unknowingly, are the weakest link. This is why they are often the target portal for a cyberattack. In 2021, MI5 disclosed that in the past five years, over 10,000 UK professionals (often with high-level security clearance) were targeted by hostile states through spear phishing or social engineering campaigns on LinkedIn. They warned that there are nearly half a million fake accounts, often posing as recruiters, intending to manipulate people into sharing classified information. 

In 2019, former CIA officer Kevin Mallory was sentenced by the US to 20 years in prison for sharing military secrets with Chinese intelligence after first being approached on LinkedIn. In response to this, a campaign called ‘Think Before You Link’ has been set up by the Centre for the Protection of National Infrastructure. The Head of Trust & Safety on LinkedIn, Paul Rockwell, stated that fake accounts like these are detected and deactivated. In the first six months of 2019, 33.7 million fake accounts were removed. 

Critical infrastructure such as energy and communications networks are also a vulnerable target for cyberattacks and the level of damage inflicted can be significant give the scale of these installations.

Gas compression plant (2020)

There have been several warnings of the potential impact of cyberattacks on the industrial internet and critical national infrastructure (CNI), but a February 2020 attack on a gas compression plant in the US demonstrated the extent of the disruption cyberattacks can cause. The cyber incident, which shut down the plant for two days, was a ransomware attack on a natural gas facility and progressed because the perpetrator was able to jump from the facility’s IT network onto the operational network when an employee mistakenly clicked on an email link. 

According to an alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), the loss of availability occurred on human-machine interfaces, data historians, and polling servers. The attack was limited to Windows-based systems and did not impact any programmable logic controllers responsible for directly reading and manipulating physical processes. Surprisingly, the victim organisation’s emergency response plan did not specifically refer to how it would cope with cyberattacks, but only threats to physical safety. The failure to segment operational technology (OT) and information technology (IT) networks was a critical factor in the attack. 

The most famous attack on a SCADA facility was the Stuxnet worm, which attacked an Iranian nuclear facility in 2010. The threat to infrastructure systems has prompted industrial and cybersecurity vendors to work more closely to create cybersecurity defences for power plant operators. Thales and GE Steam Power are to perform joint training for customers that operate power plants. 

Colonial Pipeline (2021)

More recently and even more severely in May 2021, a cyberattack linked to the DarkSide hacking group led to the closure of one of the US's largest gas pipelines, Colonial Pipeline. The attack brought home to companies and politicians at the highest levels of government the damage that a ransomware attack could cause. The attack forced Colonial Pipeline to close down all pipeline operations and freeze its IT systems. The high-profile cyberattack was caused by an exposed password on an employee’s VPN account, and this likely contributed to the increase in zero trust-related activity in the sector in the months after the attack. The magnitude of this breach alerted governments worldwide to the risks such an attack can bring to CNI.

Viasat (2022)

In February 2022, an attack on the KA-SAT network of a US satellite caused outages across central and eastern Europe. The attack also disconnected remote access to roughly 5,800 wind turbines across Germany. It is believed to be caused by AcidRain, a wiper malware that can erase vulnerable modems remotely. AcidRain is believed to be the seventh strain of wiper malware to target Ukraine since the onset of Russia’s invasion. This malware was discovered in March and is suspected to have been used by Russia’s military intelligence (the GRU) as it resembles other malware previously deployed by Russian-backed groups. To help remedy the attack, Viasat has sent almost 30,000 modems to distributors to bring customers back online.