Geopolitics, cyber threats, and cyber security are strongly interconnected. Jack Alexander, Quorum Cyber Senior Threat Intelligence Analyst, talks to Bob Hayes, Chair of the Quorum Cyber Strategic Advisory Board, to discuss how the threat landscape is changing and what it means for organisations today. They cover how international alliances and conflicts are leading to cyber-attacks, artificial intelligence (AI) and deepfakes, and why organisations don’t always know why they are being targeted.

Jack Alexander: 2024 has been one of the most active years regarding elections seen in recent memory, with over three quarters of the world’s democratic population having that opportunity to vote. Rounding off the year in November is the US presidential election during a time of heightened divide between the left and right wings of politics. How do you see the cyber landscape shift during the run-up to 5th November?

Bob Hayes: Cyber is an extension of the traditional ways that nation states project power and influence; criminal and terrorist groups conduct their activities; and single-issue groups undertake influence operations. Viewed through this lens, globally significant events such as the US presidential election are bound to be seen as an opportunity for any of these actors to utilise cyber in support of their agenda.

However, there are factors which mitigate this potential threat, and the recent UK government election supports the hypothesis that the influence of cyber operations will be less than predicted because:

1. Not all actors have the same agenda and may in fact have opposing aims, this can diffuse the effectiveness of the message
2. Increased effectiveness of defensive measures and active verification services deployed by many governments has reduced the volume of operations reaching the target audience
3. Growing lack of trust in the veracity of ANY online information.

Jack Alexander: With the emergence of advanced AI technologies such as ChatGPT 4.0 able to assist with coding and deepfake imagery, how will these technologies alter the threat landscape over the coming six months?

Bob Hayes: Deepfake AI technology has recently been used successfully to create convincing clones of CEOs as part of business email fraud, and using clones of King Charles and British Prime Minister Keir Starmer to sell cryptocurrency (it would be fascinating to know whether this was a good marketing tactic). We should expect this to continue, both in scale and creativity.

AI-supported editing has created false videos purporting to show high-profile political figures from a range of countries in a negative light, the reposting of these by other high-profile political figures has added to the general lack of trust of such online information. Anecdotal evidence suggests that such videos are appreciated (possibly even believed) by the posting candidate’s core support but have little impact on changing allegiance.

Jack Alexander: From 2023 to 2024 the total number of ransomware attacks has dropped by 7%, whilst the payment demanded during individual attacks has increased by 500% from $400,000 in 2023 to nearly $2,000,000 in 2024. How do you attribute this change? Is it a shift in strategic threat actor behaviour or are there other factors at play?

Bob Hayes: The increase in defensive capability offered by core products produced by Microsoft and others has raised the cost for attackers, and the scattergun attacks against multiple targets are now less effective and risk the attacker ‘showing their hand’.

This has resulted in attackers going for more lucrative targets, and taking additional time to research, reconnoitre, and craft attacks using more potent and destructive methods of attack where data is both exfiltrated and encrypted. The aim for attackers is simple, to maximise the impact of an attack and the difficulty for a business to recover, so making payment the ‘easier’ option.

Jack Alexander: At the time of writing, there are several open conflicts including the Russian invasion of Ukraine, and the deepening conflict in the Middle East. Additionally, there are also areas of raising tensions such as the dispute over the sovereignty of Taiwan, and political uncertainties/border disputes in South America. So far, we have detected both overt and covert cyber aggression from all sides in the form of targeted attacks and hacktivism, with many attacks spilling over into civilian sectors. How would you expect the use of cyber tactics in traditional warfare to impact both public and private companies during this time of increased tensions and uncertainties?

Bob Hayes: Organisations can find themselves in the crosshairs of direct action for many reasons; investing in fossil fuels; being based in Israel; being a defence contractor; or hanging artwork with perceived colonial ties. In some cases, this is obvious to the target; in other cases, much less obvious.

Taking some time to understand your organisation’s threat profile will always be helpful, but probably wouldn’t have helped Baillie Gifford predict their targeting for (a relatively modest) investment in fossil fuels and defence.

Ultimately, organisations are best to assume that they are likely to fall into the crosshairs of an attack, and plan to develop defence and resilience processes for their critical functions. There are many companies, including Quorum Cyber, who can help with this assessment.

Jack Alexander: Russia and North Korea recently signed a mutual defence pact following the Kremlin vetoing UN sanctions of North Korea. Pyongyang, on the other hand, has been reported to have supplied military hardware and munitions to Moscow to bolster its invasion of Ukraine on the ground. Iran attacks western targets through its Axis of Resistance Houthi rebel faction in the Red Sea while providing Chinese and Russian ships safe passage. China is now a major buyer of Iranian and Russian oil as Beijing is seeking to leverage the Middle East region to propagate its Belt and Road initiative. With this strategic cooperation on the world stage, do you anticipate any collaboration in cyber space by state actors aligned with these nations as they all seek to enhance their respective global agendas?

Bob Hayes: Strategic cooperation between nation states isn’t new or enduring. In any multi-nation conflict allegiances will be made and broken as parties try to identify the best outcome for their nation. The concept of ‘frenemy’ was created to reflect an actor with whom one is friendly despite a fundamental dislike or rivalry, for as long as it is useful.

The Five Eyes alliance between the US, UK, Canada, Australia, and New Zealand was created in 1941 as a way of sharing secret intelligence between allies. It seems reasonable to assume that such intelligence includes capabilities and vulnerabilities in the cyber domain.

Other alliances exist, not always openly. For example, it is suggested that the Stuxnet attack on Iranian nuclear centrifuges was created jointly by the US and Israel.

In that context it would be surprising if there was not significant cooperation and collaboration between Russia, China, and North Korea – where their strategic aims overlap.

Learn how to protect your organisation

At Quorum Cyber, we help good people win. Browse our range of cyber security and data security services to see how we can help you. Get in touch today to discuss how Quorum Cyber can help protect your organisation’s entire IT estate from threats of any kind.