Russia forced to direct espionage efforts into the cyberspace

News broadcasts were already reporting on how Russia was concentrating its forces near the Ukrainian border months before the February 2022 invasion. Similar preparations were also seen online. Even before the war, the volume of Russian cyber activity targeting Finland decreased as resources were focused on Ukraine. The unusually peaceful period on Finnish networks continued
during the early stages of the invasion in the spring.

By the summer it was nevertheless already evident that this lull had come to an end for us. Russian cyber activity in Finland then began to pick up, returning to its normal level, and by the second half of 2022 Russian cyber espionage efforts targeting Finland had become even busier than before.

Finnish targets subject to continuous cyber espionage efforts

One effect of the Russian invasion has been to highlight the importance of cyber espionage. Traditional human intelligence operations have become more difficult for Russia, with many European operators severing their links to Russian counterparts. At the same time, Russian intelligence officers have been expelled from Western countries.

Russia has also been forced to use other information-gathering approaches in Finland. Finnish public authorities and businesses are regularly targeted by Russian cyber espionage efforts. Finland’s foreign and security policymaking is the principal target of Russian interest. The threat of corporate espionage is also growing, as sanctions have hampered Russian access to cutting-edge technology and the country is endeavouring to launch manufacturing operations in place of Western imports.

Even though Russia now tops the agenda of public debate also on cyber espionage, it is not the only party that seeks to spy on Western countries. China has exceptionally substantial resources for cyber espionage, and there have been no significant changes in its activity. Its interests now include the security policy situation in Europe.

Russian intelligence services have extensive resources for cyber espionage

State-sponsored intelligence operations seek carefully selected secret information, so they have to select their targets in ways that differ from the approaches employed by common criminals. Intelligence services have access to substantially more time and resources than ordinary criminals, and also to more experienced operators and more versatile tools.

Russia seeks to focus its cyber operations precisely, and to determine the vulnerabilities of the target in advance. Intelligence services often do prior background work on the organisations and individuals that they select as targets. Cyber espionage is not always aimed directly at the target proper, but may instead focus on individuals who are close to the selected target person and at subcontractors of target organisations.

The methods of Russian cyber espionage vary, with operators applying such approaches as phishing messages, software vulnerabilities and supply chain attacks. Poor security practices, such as weak passwords, may also expose a target to hacking.

State-sponsored intelligence essentially seeks to evade detection so that information can be gathered for as long as possible. The perpetrators take pains to cover their tracks, and their operation is multi-staged and subtle. The connection evades the attention of security operations centres, and may originate from an address in the country concerned or in a third country.

Accessing an information source is nearly always the primary goal in cyber espionage. Sometimes systems can be quite strongly disturbed, leaving a large number of system log entries. Besides gaining access, the goal in such cases may be to demonstrate the intruder’s cyber capabilities and to serve as a deterrent to the target country.

Data security cannot depend on a single user

Organisations can substantially reduce risks by applying good data security practices. It is essential for system administrators to  attend to data security continually, as they have prime responsibility for the security of their systems and of the data stored in  them. It is also important to choose reliable suppliers and subcontractors.

Data security is an ongoing process. Software must be kept current with security updates. The monitoring capacity of the system should be maintained in order to detect whether anything unusual occurs. Log data should be collected systematically, as it helps in investigating whether a system has been compromised.

Administrators must construct systems that are able to withstand malicious activity. It can be very challenging for an ordinary person to recognise a professionally crafted phishing message, for example. Users should nevertheless take care to use strong passwords and two-factor authentication. It is also wise to exercise a healthy degree of caution regarding the senders of
electronic communications and the attachments and links that are included in messages.

Public authorities provide support in data security work. Supo works with domestic and international partners to combat cyber threats. The most important Finnish partners of Supo in combating cyber threats include the National Cyber Security Centre, for which Supo also produces information. The website and networks of the Cyber Security Centre provide excellent instructions for improving system security.

The importance of managing cyber security throughout society can only increase.