Srsly Risky Biz: NATO's Cyber Approach Needs Change
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Truffle Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.
Srsly Risky Biz: NATO's Cyber Approach Needs Change
Last week, The Grugq and I travelled to Estonia for CyCon, NATO CCDCOE's conference on Cyber Conflict. Our biggest takeaway from the conversations we had there is that NATO, unsurprisingly, is well prepared for one-off, large-scale military attacks. But it is failing to counter small, unremitting cyberattacks, and this needs to change.
NATO was created to deter the Soviet Union from military aggression. It still defines itself as a defensive alliance that can deliver a "resounding response" in the event of an unlikely but devastating Russian military attack.
Russian cyber operations, however, are continuous and conducted well below the threshold of armed conflict. Individual operations just aren't damaging enough to attract a robust response. These continuous aggressive incursions are favoured by states like Russia and China as a way to harass their adversaries during peacetime.
The Americans think the right way to respond to cyber campaigns is "persistent engagement". US Cyber Command says that under this framework "cyber operators constantly work to intercept and halt cyber threats, degrade the capabilities and networks of adversaries, and continuously strengthen the cybersecurity of the Department of Defense".
That's pretty much the opposite of NATO's prepare-to-strike-back-decisively paradigm.
Russia is taking advantage of this gap, sprinkling some cyber elements into its EU-focussed sabotage campaign. The campaign has resulted in real-world effects like fires at defence manufacturing plants and assassination plots. Despite the limited role of cyber operations in these attacks, the overwhelming vibe we got during CyCon was that NATO knows it must get better at contesting Russian cyber activities. It also knows it should respond with its own cyber operations.
One option here is for NATO to run more "hunt forward" operations in member states and to make this activity less US-centric. In these operations, a more capable partner gets invited into a host country's networks to find and disrupt adversary activity. These were pioneered by US Cyber Command, which has spearheaded most of these actions over the last several years and have a track record of rooting out adversary malware.
But not all NATO countries trust the Americans with access to their sensitive networks. Even back in 2023, French General Aymeric Bonnemaison, then head of France's Cyber Defense Command, was concerned about these missions exposing host countries to US intelligence gathering. That feels like a lifetime ago and we don't imagine that events since then have given allies the warm fuzzies about US intentions.
So there are good reasons that some of the more cyber-savvy countries should run their own hunt forward programs within NATO. There is precedence for this, and in 2023 the UK said that it has already conducted hunt forward operations of its own.
We also got the impression that there is the political appetite for a small number of NATO countries to engage in even more aggressive cyber operations. As for what to target? In our view, the most problematic activity affecting NATO countries is the Russian sabotage campaign we previously discussed. That campaign appears to be run by units within the GRU, Russian military intelligence.
Cyber operations are obviously not the only way to strike at this activity. There are lots of real-world actions that could also have an impact, such as sanctions, expulsions, and denying visa applications to spies. But we think throwing a bit of cyber-enabled disruption in the GRU's direction would be worthwhile.
NATO may not be the best organisation to rally a member state cyber campaign, given its history as an organisation built to deter real-world military conflict. But it is the security organisation that Europe already has, so it's time to make the best of it.
Commercial Location Data Used to Target US Soldiers
US military personnel in war zones have been targeted using commercially available geolocation data. We are totally unsurprised.
We've written many times about how the collection, collation, and sale of geolocation data is a national security risk for the United States and indeed any country exposed to America's digital advertising ecosystem.
Last week, we learned that US Central Command (CENTCOM) had admitted it has "received multiple threat reports concerning adversary exploitation of commercial location data to target or surveil US personnel in theater". CENTCOM's area of responsibility includes the Persian Gulf where the US has been fighting Iran.
This disclosure of geolocation-based targeting was contained in a letter to the Department of Defense (DoD) from a bipartisan group of legislators. It was provided to Reuters by Senator Ron Wyden.
The letter notes that:
Commercial location data can be used to identify where US troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, as well as for counterintelligence purposes.
That's a good description of some of the risks. The letter also says this is the first time the DoD has confirmed that commercial location data is being used to target US military personnel in a war zone.
That doesn't mean America's adversaries haven't already been using this data for other purposes. If Iran is doing this in wartime, you can bet that China is doing it in peacetime in its intelligence and counterespionage programs. Using commercial data in those types of activities is stealthy. Now the USA is involved in a hot war, the consequences of this data being easily available are far more visible.
The DoD has policies designed to mitigate the risks posed by commercially available location data. They do not fill us with confidence. They talk about measures like disabling geolocation features and resetting Advertising IDs on work phones. That makes it harder to track individual devices over time, but even Google acknowledges that even without an Advertising ID "persistent identifiers are still available".
It's not that policies like these are bad, so much as unrealistic. They're hard to implement and incomplete, especially given that service members and their families can also use personal phones.
One view of the internet is it's a machine designed to track people across the planet in order to advertise to them. How effective can on-device options be when the broader ecosystem has tracking in mind and sites use techniques such as device fingerprinting that are designed to circumvent on-device protections?
Part of the solution will be good DoD policies with sensible defaults and better controls over end devices. But clamping down on the type and amount of data that can legally be collected and sold must be part of the solution.
Watch James Wilson and Tom Uren discuss this edition of the newsletter:
Three Reasons to Be Cheerful This Week:
- Microsoft ditches SMS MFA: Microsoft is removing SMS as an authentication and account recovery option for personal accounts. The company said that SMS-based authentication was one of the most targeted vectors for account takeover and subverting it was now a leading source of fraud. Users will be prompted to create a passkey when signing in. Risky Bulletin has further coverage.
- Glassworm botnet disruption: CrowdStrike, in collaboration with Google and the Shadowserver foundation have taken down the botnet. Glassworm was a self-propagating, credential-stealing botnet that targeted developers and spread by malicious software packages. The disruption effort targeted the four different command and control channels that Glassroom used which involved the Solana blockchain, BitTorrent, the Google calendar service and VPS hosted infrastructure. The Register has further coverage.
- IBM announces USD$5 billion for open source software: IBM has announced an effort to find and fix vulnerabilities in open source software that it is calling Project Lightwell. It says the effort will involve 20,000 engineers assisted by AI tools.
Sponsor Section
In this Risky Business sponsor interview, Casey Ellis chats with Truffle Security’s founder and CEO Dylan Ayrey about the recent CISA secrets leak. Days after Brian Krebs ran the story, plenty of the exposed credentials were still live, including an admin-level GitHub app key with full rights over CISA’s org.
Risky Biz Talks
You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).
In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about the ways in which intelligence agencies are like cults.
Or watch it on YouTube!
From Risky Bulletin:
A tenth of all new domains last year were malicious: One in every ten new domains registered in 2025 were linked to malicious activity and were eventually added to one or more cybersecurity blocklists.
A total of 84,961,989 domains were created last year and 8,496,811 were later added to a blocklist, according to an Interisle report published on Monday.
Researchers believe the actual number of malicious domains may be double that, at around 16.8 million, with new domains expected to be blacklisted once they are deployed in operations in the wild later on.
[more on Risky Bulletin]
Russia greatly expands SORM surveillance requirements: The Russian government has greatly expanded the amount of personal and technical data that mobile operators and internet service providers must collect from their customers and share with state authorities.
This data collection is part of a surveillance system used in Russia named SORM, which stands for the System for Operative Investigative Activities. SORM works through special equipment installed at local telcos that collects data on the company's traffic and uploads it to a government database where the police and intelligence services can query it for their investigations.
Over the years as networking equipment has become more powerful, SORM has been slowly updated with new collection rules that telcos must comply with or face a fine.
[more on Risky Bulletin]
Dutch police take down giant botnet of 17 million devices: Dutch authorities have conducted one of the largest-ever malware disruptions and took down a botnet that infected more than 17 million devices across the world.
The botnet was made up of computers, tablets, and smartphones that had been used to send out spam emails, phishing lures, and carry out DDoS attacks.
Dutch Police and the country's national cybersecurity agency seized more than 200 servers at a local provider, servers that had been used to grow and control the botnet.
[more on Risky Bulletin]
