News & Stories

European governments hit by Kremlin-backed cyberattacks

Ray Fernandez

May 16, 20245 min read

As Russia’s war in Ukraine intensifies, with Russian troops mounting border attacks, the renewed offensive has been accompanied by strategic cyberattacks against Ukrainian allies in European countries. 

From Germany to Poland and Kosovo, Kremlin-supported hacker groups are reported to be behind massive governmental espionage campaigns. The objective appears to be the sabotage of governments that have pledged support and military assistance to Ukraine. 

Germany battles ATP 28: Elite Russian hackers

Recent events reveal what appears to be a broad Russian-led cyberwarfare campaign against European and Eastern European nations. Specifically, the attacks are targeting key countries that support Ukraine. 

In the past weeks, the elite hacker group ATP 28 — part of the Russian military intelligence service GRU — targeted Poland and Kosovo. Meanwhile, Germany continues to reveal the wide impacts of a cyberespionage campaign. 

On May 3, the German Interior Minister said that persistent cyber espionage attacks from ATP 28 began as early as March of 2022. This was just one month after Russia’s invasion of Ukraine. Germany said that ATP 28 breached and accessed the Social Democratic Party headquarters, defense, aerospace, and the aviation industry.

Reuters reported that NATO and European countries expressed their support to Germany. They also joined in issuing a warning regarding the consequences that Russia’s cyberwarfare campaigns would have. 

Germany has arrested German nationals of Russian origin on suspicion of conspiring to sabotage Germany’s military aid to Ukraine. Additionally, three Germans have been detained for allegedly planning to pass on advanced engine designs to Chinese intelligence.

For months, Ukraine has warned that Russian spies and cybercriminals were rampant across Europe. 

Cyberattacks in Eastern Europe: Kosovo and Poland hit by ATP 28

Even after the German cyberespionage scandal, ATP 28 — known for targeting governments, militaries, and security organizations — did not draw the line. By May 8, both Poland and Kosovo reported cyberwarfare actions targeting their government networks.

The common thread and over message of ATP 28 seem clear. They will stop at nothing and will go after any government that supports Ukraine with military aid. 

On May 8, Poland reported that Russian cyber spies targeted government networks.  

The National Research Institute (NAKS) of Poland, responsible for information and communication networks in the country, said that malware targeting Poland’s government organizations was distributed by ATP 28.

“Technical indicators and similarities to past attacks allowed the identification of the APT 28 group,” NAKS told the press. “This group is associated with the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).”

On the same day, Eastern European media reported that Russia had launched a hybrid cyberattack on Kosovo after the country announced military aid for Ukraine. ATP 28 targeted Kosovo institutions, as well as websites associated with the Presidency and the Prime Ministry. 

“Today, Russia launched a hybrid attack on Kosovo after we announced that we are providing military equipment to Ukraine as justified defense against Russia’s genocidal aggression,” the Minister of Foreign Affairs and Diaspora of Kosovo Donika Gervalla said. 

Besides government and defense, the recent cyberattacks also targeted healthcare and other critical infrastructure services such as water. 

The US renews its warning to Russian hacktivists at home and in Europe

In the United States, a new military aid package of $61 billion was recently approved to support Ukraine. The CISA, the FBI, Homeland Security, and the NSA have issued multiple warnings across all sectors regarding Russian hacktivist attacks. 

In the latest warning, dated May 1, 2024, and issued by the US Intelligence and government organizations, CISA provided guidelines and information. These guidelines are meant to help defend OT operations against ongoing pro-Russia hacktivist activity.

US Intelligence said that these attacks “seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors.”

How severe were the ATP 28 attacks in Europe?

The Kosovo cyberattack was a Denial of Service Attack (DDoS). This type of attack is used most commonly as an extortion and pressure technique. It does not usually involve malware or data exfiltration. In the DDoS attacks, Russian hackers flooded the targeted Kosovo websites and networks with fake traffic, causing government sites to temporarily go offline. 

A Kosovo government spokesperson told media outlet Balkan Insight that the government’s Information Society Agency rapidly restored the websites under attack without “consequences in the data.”

This cyberattack did not have a significant digital impact. However, it reignited tensions as Russia sent out its message to Europe and the world.

During a press conference, Kosovo Prime Minister Albin Kurti said that ATP 28’s goal was a “hybrid war which, if successful, would result in the destabilization of Kosovo’s security, stability, and welfare institutions.”

ATP 28 phishing attacks against Poland 

On the other hand, ATP 28 cyberattackers put a different technique into play in Poland. Using classic email phishing tactics, the group lured victims into downloading malware on their devices. 

The malware distributed by ATP 28 in Poland is capable of collecting information, bypassing security guardrails, remaining undetected, and communicating with the hackers’ controlled servers. 

Data reported to be compromised by this malware includes IP addresses and lists of files in selected folders. However, due to the technical characteristics of the malware detailed in the investigation of Poland’s Computer Emergency Response Team, CERT-PL, the malware is probably capable of much more. 

Image of the phishing email used by Russian hackers against Polland CERT-PL.
A screenshot of a phishing email used by Russian hackers against Polland CERT-PL.

Threats to upcoming June 2024 European elections 

Countries recently targeted by Russian-supported hackers in Europe include Italy, the Czech Republic, Germany, Poland, and Kosovo.

More cyberattacks are expected to emerge as the 2024 June European Parliament Election draws near.  

The biggest impact the attacks have had in Europe is political. Countries are condemning the attacks, with Germany and the Czech Republic recalling its ambassadors to Russia. 

Final thoughts 

The recent wave of cyberattacks by Kremlin-backed groups exposes a worrying trend: Russia’s willingness to weaponize cyberwarfare to target European nations supporting Ukraine.

While not always resulting in complete data breaches, these attacks serve a clear purpose. The goal is to disrupt critical services, sow discord, and intimidate governments opposed to Russia’s actions.

As the June European Parliament elections approach, heightened awareness of potential disinformation campaigns is crucial. New developments in the Ukraine-Russian conflict are also expected to influence cyberwarfare globally.  

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.