Recent Cyber Events and Possible
Implications for Armed Forces
#7 – November 2020
About this paper
This paper is the collaborative view of NATO CCDCOE researchers highlighting the potential effects
on the military of current events and of developments in cyberspace during the previous month,
based on publicly available information. It does not set out to be exhaustive. While the authors have
made every effort to describe events from a perspective relevant to NATO and partner nations, there
may be national and regional differences which this paper does not address.
The authors of this paper are independent researchers at the NATO CCDCOE; they do not represent
NATO, nor does this paper reflect NATO’s position. The aim of the paper is not to replace information
about vulnerabilities and incidents provided by CSIRTs and providers of CIS products and services.
1. Targeted threats against the
military and national security
Cyber conflict in Nagorno-Karabakh
‘It’s the worst outbreak of violence related to
Nagorno-Karabakh since Armenia and
Azerbaijan, two former Soviet republics,
fought a war over the enclave in the 1990s.
And this time, hacking has come with the
fighting.’ (CyberScoop, 6 October 2020)
Tensions over the territory of Nagorno-
Karabakh are decades old. Recently the
situation has flared up into violent conflict. As
is commonplace in the modern era, spillover
to cyberattacks and information campaigns
from both sides accompany kinetic action. In
most cases, it is related to defacing internet
pages and supporting information operations.
Attacks targeted public and private institutions
in the energy industry.
Sophisticated cyberattacks have been
employed in this conflict. One example is
PoetRAT malware which targets government
and critical infrastructure sectors. According to
Cisco Talos, actors have modified PoetRAT
malware, showing increased capacity and
maturity. PoetRAT was reportedly used
BBC: Nagorno-Karabakh: The Armenian-Azeri
‘information wars’
Cisco Talos Blog: PoetRAT: Python RAT
uses COVID-19 lures to target Azerbaijan
public and private sectors
against Azerbaijan previously and continue
during the current campaign. New versions of
PoetRAT are said to target the Azerbaijani
public sector by using malicious Microsoft
Word documents.
This allows targeting
through spear-phishing specific individuals to
collect intelligence. Overall, the campaigns
using PoetRAT seem to be efficient and to
have given the cyber actors access to
sensitive information.
What it means:
1. Cyber operations are part and parcel of kinetic
military campaigns. Their tactical use is still in
its infancy, while its use for strategic and
operational objectives is real and promising.
2. If proper tools for malicious activity are
employed, it will be easier and quicker to use
them within military campaigns. It also shows
that a cyber campaign could be employed
quicker and more efficiently to produce an
effect.
3. Recoding of malware is constant and follows
the KISS principle – ‘keep it simple, stupid’. A
campaign requires a thorough analysis of the
target and an understanding of the cognitive
domain to influence specified targets.
Cisco Talos Blog: PoetRAT: Malware targeting
public and private sector in Azerbaijan evolves
