A highly sophisticated multi-year cyber attack targeting Finland’s diplomatic communications is likely to have been replicated against other EU and Western countries.
Finland's Ministry for Foreign Affairs (MFA) has been subjected to a sophisticated and successful cyber attack aimed at extracting political intelligence over several years, which is likely also to have affected other EU states. The breach of the MFA's data network was already under investigation following its discovery earlier this year, but a leak to Finnish media forced the government to go public on the extent of the security violations earlier than intended. The nature of the attack suggests that, while Finland is the first to make such a public announcement, government agencies and corporations across the EU and beyond may follow suit.
The attack has been described as an advanced persistent threat (APT) infiltration similar to, but more advanced than, the Red October cyber espionage network reported by Kaspersky Lab back in January. Red October had a wide distribution, affecting a large number of different corporate, scientific and government targets in Europe, North America and Central Asia over several years. It was designed to harvest political intelligence including sensitive documents, credentials to access classified computer systems, and data from personal mobile devices and network equipment. In the fast-moving and unpredictable world of cyber conflict, new tools and weapons are commonly given a name by the cyber security laboratory that first deconstructs and describes them after they are discovered.
As yet, nobody apart from the Finnish government is admitting to having identified this new and sophisticated cyber threat, which means it is not yet clear what makes it more advanced than Red October. The target of the most recent cyber infiltration appears to have been MFA systems with external connections, including in particular communications with other EU states. Finnish officials have referred to diplomatic reporting being compromised, but said no highly classified information on internal networks was affected.
The MFA's data network had been subjected to this new and highly sophisticated cyber operation for an estimated three to four years before the attack was detected earlier this year. The discovery was kept confidential in the interests of the continuing investigation. Finnish Defence Ministry sources say unofficially that Finland was tipped off to the attacks in a warning from a foreign partner, thought to be Sweden's FRA signals intelligence agency. According to the MFA's Chief Information Officer Ari Uusikartano, ‘a number of other [states] face the same challenge [...] It is highly possible all victims still haven’t learned they are victims of this attack.’ It follows that Finland's partners and allies are likely to be urgently reviewing their network defences in the light of the new threat information, and preparing to limit both the damage resulting from the security breach itself, and the political embarrassment that networks and systems that ought to be kept secure were not.
The targeting Finland’s communications with other EU nations confirms the most recent annual report by Supo, the Finnish police department responsible for counter-intelligence, which noted an increasing level of intelligence activity against the country and that its international relations, including with the EU and NATO, were ‘key targets for political intelligence’. Although the Supo report made no mention of Russia, any potential for closer relations between Finland and NATO in particular is an obvious topic of priority interest for Russia’s intelligence services.
The infiltration highlights one of the key problems of cyber attacks, that of confidently stating who is the perpetrator. Officially, nobody in Finland is laying blame, other than saying that the attacks were the work of a foreign intelligence service. As noted by Ari Uusikartano, in order to make accusations, ‘we should be able to have total confidence on the origins of the attacker’. Such total confidence is unlikely to be achieved. The ease with which designers of a cyber-weapon can mask their identities or impersonate third parties and the difficulty of tracing back how precisely the weapon was delivered to its target combine to make public pointing of fingers extremely rare. For as long as diplomatic sensitivities require overwhelming proof of guilt of offensive cyber activity, accusations directed against Russia, or any other country, are unlikely to receive public official endorsement.
The disclosure of the attacks by Finnish media embarrassed the government and apparently caught other interested agencies unprepared. The decision not to report the attacks promptly has irked Finland’s politicians and officials. No other government has yet acknowledged being compromised or targeted by the same attack method. But the comparisons already drawn with the Red October exploitation system, and comments by Finnish officials on the international nature of the targeting, suggest that the Finnish MFA may be just the first of an extensive range of compromised networks to be publicly admitted. More announcements of data breaches at government and corporate bodies across the EU may well follow; information security officers throughout Europe will no doubt be reviewing the security of their own networks against the new threat, and working hard to limit any potential damage.
To comment on this article, please contact Chatham House Feedback