Recent Cyber Events and Possible
Implications for Armed Forces
A look at the trends from 2020 and towards the future
#8 – January 2021
About this paper
This paper is the collaborative view of NATO CCDCOE researchers highlighting the potential effects
on the military of current events and of developments in cyberspace during 2020, based on publicly
available information. It does not set out to be exhaustive. While the authors have made every effort
to describe events from a perspective relevant to NATO and partner nations, there may be national
and regional differences which this paper does not address.
The authors of this paper are independent researchers at the NATO CCDCOE; they do not represent
NATO, nor does this paper reflect NATO’s position. The aim of the paper is not to replace information
about vulnerabilities and incidents provided by CSIRTs and providers of CIS products and services.
1. 2020 ends with a massive supply
chain attack
In December 2020, several US government
agencies were breached by a software
supply-chain attack. The operation, which was
initially launched as early as March 2020,
clearly shows how a breach of a trusted supply
chain can affect a large number of targets and
how an advanced adversary can operate
undetected for a long time.
The full scope of the breach is still unfolding
but it is clear that a backdoor dubbed
SUNBURST had been installed in thousands
of networks. Research from FireEye and
Microsoft indicate that about 50 organisations
had been targeted and seriously affected,
including Microsoft and several US
government agencies. The number of targets
may number more than 250 organisations.
The number severely affected still remains
low, relative to the large number of infections,
but this is most likely the result of the actor
behind the attack picking the targets to attack
further. A joint statement released on 5
January states that ‘fewer than 10’ US
government agencies were compromised.
The extent and method of the attack should be
a cause for concern for military organisations
given military dependence on civilian
institutions for the operations and
maintenance of their ITC infrastructure.
In some ways, the attack is reminiscent of the
NotPetya attack in 2017 which used updates
for a software package commonly used in
Ukraine as the vehicle to get malware into the
target systems. In the current case, the
vehicle was the update chain of network
management software SolarWinds Orion. The
objective seems to have been espionage
rather than to disrupt operations, although the
backdoor may provide a future opportunity to
exploit the vulnerability.
Several sophisticated techniques both to
evade detection and to move laterally in
compromised networks have been found. This
also allowed the adversary to maintain a
persistent presence in the networks. This
indicates that an advanced, probably state-
backed actor is behind the compromise. This
sophisticated attack is widely thought to be
tied to Russia with the group APT29, also
known as ‘Cozy Bear’, being named in some
reports. Russia has denied responsibility for
the attacks.
The security of the supplier’s software update
mechanisms seems to have been lacking.
Reports suggest a weak password may have
allowed access to the update servers. Better
mechanisms to assess the security of the
software supply chain are clearly needed. It is
not feasible for every customer of a supplier to
