November 2, 2025: Earlier this year, Russia hired or simply encouraged German based criminal hackers to engage in activities that hampered or just discouraged German support for Ukraine in its battles against Russian invaders. NATO officially and financially supports Ukraine. The German military/Bundeswehr

Western intelligence agencies believe Russia recently tried, and failed to take control of Romanian security cameras. Since Russia invaded Ukraine in 2022, its Cyber War unit 26165 has been hard at work all over Europe. NATO investigators have discovered more than 10,000 hacked internet addresses. The goal was to tap into surveillance cameras so that NATO movement of troops and supplies could be monitored. Romania has a 650 kilometers border with Ukraine and its ports use Chinese surveillance cameras. These have been banned by the U.S and European countries because of security concerns. The Romanian government pointed out that it played no role in the deployment of such security cameras. Nevertheless, the Romanians are checking into this.

Western nations have had similar problems for over a decade. In 2014 a new team of hackers was identified. This one had been concentrating on finding and taking political, diplomatic and military data from NATO nations involved in opposing Russian aggression in Ukraine. This group, called APT28, was identified as Russian by numerous patterns in their code, some of which was left behind or otherwise captured. This made it clear that the creators were Russian speakers, were working somewhere in the same time zone as Moscow and using software techniques known to come from Russia. That means hacker tools that are for sale on the black market. Moreover the data being sought would mainly benefit the Russian government. This sort of attack was showing up with increasing frequency and accuracy.

Over the last decade Internet security firms, especially Kaspersky Labs, FireEye and Symantec have developed better tools for identifying the hacker organizations responsible for some of the large-scale hacker attacks on business and government networks. For example in 2013 there was a group from China identified called Hidden Lynx. This group appeared to contain 50-100 hackers, each identified by their coding style and other clues. This group was believed largely responsible for a large-scale espionage campaign called Operation Aurora that was still active. The APT28 campaign, on the other hand, was quite recent and coincided with Western efforts to halt Russian attacks on Ukraine.

Internet security firms also support their clients by identifying and describing major malware. This is software created by hackers for penetrating and stealing from target systems. For example in 2013 Kaspersky Labs discovered a stealthy espionage program called NetTraveler. This bit of malware had been secretly planted in PCs used by diplomats and government officials in over 40 countries. Also hit were oil companies and political activists opposed to China. Dissection of NetTraveler indicated it was created by about fifty different people, most of them Chinese speakers who knew how to program in English.

Kaspersky also discovered a similar bit of malware called Red October, because it appeared to have been created by Russian speaking programmers. Red October was a very elaborate and versatile malware system. Hundreds of different modules have been discovered and Red October has been customized for a larger number of specific targets. Red October was found to be in the PCs and smartphones of key military personnel in Eastern Europe, Central Asia, and dozens of other nations like the U.S., Australia, Ireland, Switzerland, Belgium, Brazil, Spain, South Africa, Japan, and the UAE. The Red October Internet campaign had been going on at least since 2008 seeking military and diplomatic secrets. As a result of this discovery Internet operators worldwide shut down the addresses Red October depended on.

Red October does not appear to be the product of some government intelligence agency and may be from one of several shadowy private hacker groups that specialize in seeking out military secrets and then selling them to the highest bidder. The buyers of this material prefer to remain quiet about obtaining secrets this way. In response to this publicity, the operators of Red October apparently shut down the network. The Russian government ordered the security services to find out if Russians were involved with Red October and, if so, to arrest and prosecute them. Russia has long been a sanctuary for Internet criminals, largely because of poor policing and corruption. It may well turn out that the Red October crew is in Russia and has paid off a lot of Russian cops in order to avoid detection and prosecution. To date, the operators of Red October have not been found.

South Korea has been subjected to a growing number of Cyber War attacks and some of them were quite damaging. In the last year South Korean security researchers concluded that nearly all these attacks were the work of one group from North Korea, which has threatened Cyber War attacks but not taken credit for them. This is typical of most North Korean attacks, both conventional and now over the Internet.

What most of these large scale attacks have in common is the exploitation of human error. Case in point is the continued success of attacks via the Internet against specific civilian, military, and government individuals using psychology, rather than just technology. This sort of thing is often carried out in the form of an official looking email, with a file attached, sent to people at a specific military or government organization. It is usually an email they weren't expecting but from someone they recognize. This is known in the trade as spear fishing or phishing.

This is a Cyber War technique that sends official looking email to specific individuals with an attachment which, if opened, secretly installs a program that sends files and information from the email recipient's PC to the spear fisher's computer. Since 2012 an increasing number of military, government, and contractor personnel have received these official-looking emails with a PDF document attached and asking for prompt attention.

China has been a major user of spear fishing and apparently the Chinese government and independent Chinese hackers have been a major force in coming up with new spearfishing payloads. The methods, and source, of many spear phishing attacks have been traced back to China. Cyber War hackers there have become easier to identify because they have been getting cocky and careless. Internet security researchers have found identical bits of code, which is readable text that programmers create and then turn into smaller binary code for computers to use. Techniques for using it in hacking software used against Tibetan independence groups, and commercial software sold by some firms in China who are known to work for the Chinese military. Similar patterns have been found in hacker code left behind during attacks on American military and corporate networks. The best hackers hide their tracks better than this.

It's also been noted that Chinese behavior is distinctly different from that encountered among East European hacking operations. The East European hackers are more disciplined and go in like commandos and get out quickly once they have what they were looking for. The Chinese go after more targets with less skillful attacks and stick around longer than they should. That's how so many hackers are traced back to China, often to specific servers known to be owned by the Chinese military or government research institutes.

The East Europeans have been at this longer and most of the hackers work for criminal gangs, who enforce discipline, select targets, and protect their hackers from local and foreign police. The East European hacker groups are harder to detect when they are breaking in and much more difficult to track down. Thus the East Europeans go after more difficult and lucrative targets. The Chinese hackers are a more diverse group. Some work for the government, many more are contractors, and even more are independents who often slip over to the dark side and scam Chinese. This is forbidden by the government and these hackers are sometimes caught and punished, or simply disappear. The Chinese hackers are, compared to the East Europeans, less skilled and disciplined. There are some very, very good Chinese hackers but they often lack adult supervision or some Ukrainian gangster ready to put a bullet in their head if they don't follow orders exactly.

For Chinese hackers that behave and don't do cybercrimes against Chinese targets, the rewards are great. Large bounties are paid for sensitive military and government data taken from the West. This encourages some unqualified hackers to take on targets they can't handle. This was seen when a group of hackers was caught trying to get into a high-security network in the White House. This was the network dealing with emergency communications with the military and nuclear forces. These amateurs are often caught and prosecuted. But the pros tend to leave nothing behind but hints that can be teased out of heavy use of data mining and pattern analysis.

The U.S. Department of Defense tries to keep track of countries that have established Cyber War organizations, or just capabilities. Germany joined the ranks of countries with a formal Cyber War organization. Germany put together a Cyber War unit. It is small, with less than a hundred personnel, but Germany has a large number of Internet technology experts, and many civilian resources for a Cyber War unit to draw on.

Many of these Cyber War capable nations are trying to develop tools and techniques for attacking American military and civilian targets, via the Internet, in the future. In some respects, these Cyber Wars have already begun. In the last few years, the number of intrusion attempts on Department of Defense computers has grown to over 500 a day. The actual increase may be less than that, because as the Department of Defense increases its Internet defenses, it becomes better able to detect intrusion attacks. The number of intrusions that succeed, or at least the ones that were discovered, has been going down. But even a few successful intrusions can result in the loss of enormous amounts of valuable data.

A lot of information on the Cyber War against the United States is kept secret, since if the attackers know which of their operations are being observed, or even known about, they will take steps to get their work back into the shadows. Half the battle in Cyber War is knowing you are being attacked. The best attacks, especially to steal information, or set up monitoring programs, work best, if at all, if they are undetected.

In the United States, the U.S. Air Force has taken the lead in developing Cyber War weapons. Air force hackers are usually the first to spot new enemy intrusion techniques, and are believed to have created powerful intrusion tools and techniques themselves. It's telling that intrusions of Department of Defense computers get publicized, while you hear little about such attacks made on other countries. It could be that the United States is not making as many intrusion attempts as known Cyber War users like Russia and China. Then again, most of these intrusion attempts go undetected whether they succeed or not.

Another reason for the large number of detectable attempts on Department of Defense computers is that the United States is the highest profile target for such attacks. The detectable attacks are often by amateurs, although some of these have been tracked back to government computer systems in Russia and China.

The U.S. Air Force has many electronic warfare aircraft, and access to U.S. electronic warfare satellites. The plan is to use all these resources in any future Cyber War, finding enemy vulnerabilities wherever and whenever, and exploit them as quickly as possible. With so much of the world's electronic communications going wireless, this gives the air force lots of opportunities. But until there's a war, the public won't know how extensive the American Cyber War arsenal is, and how effective it can be.

An air force attempt to take overall control of American Cyber War efforts, by establishing a large, 40,000 personnel, Air Force Cyberspace Command/AFCYBER, did not succeed. This effort sought to combine Internet operations organizations with some of the older electronic warfare ones. All this upset the other services, who had their own Cyber War activities, and this opposition, and resistance to overall air force management by the Department of Defense, led to AFCYBER's ambitions being sharply curtailed. AFCYBER is still out there, waiting for an opportunity to show the Department of Defense, and the rest of the world, what they are capable of.