The largest Polish military institution – the Academy of Military Arts – was attacked by a hacker group CyberTriad, reports Onet. Its targets are NATO and Ukraine. The traces of the group, according to the former head of the Polish Military Counterintelligence Service, General Peter Pytel, lead to Russia. But there is no direct evidence.
General Piotr Pytel, at our request, analyzed the actions of the CyberTriad hacker group, which hacked the website of the Polish Academy of Military Arts. These are not random people, but a serious organization: it can successfully penetrate the networks of large institutions and the infrastructure of many countries around the world. The targets of their attacks are NATO and Ukraine. After a military university in Belgium became a victim of hackers, the Polish military university should have been prepared for a similar scenario.
On August 24, in the article "Hacker attack paralyzed the work of the largest Polish military university. Secret information in the wrong hands" we described how the CyberTriad hacker group hacked into the computer system of the largest Polish military institution – the Academy of Military Arts. The analysis of the profile of this group and its activities was made for us by the former head of the Military Counterintelligence Service, General Pyotr Pytel.
Russian trace
General Peter Pytel: In this case, we are dealing with a group of hackers who act in a typical Russian way, that is, they make an open declaration of their intentions. The CyberTriad group posted such a declaration on its website on May 20 of this year, declaring that it was acting out of noble motives. The members of the group declare that they can no longer stand idly by as the United States and NATO push nations towards World War III. They claim that they seek to stop the war, position themselves as supporters of peace, opponents of NATO and the global hegemony of the United States.
And they also call themselves idealists. The appeal to idealistic motivation is a distinctive feature of Russian hacker groups. They write: "We have no borders, nationality and hierarchy..." That is, they are for full equality. And further: "... we know how to live in a world without violence." That is, they are fighting for peace and are pacifists, but at the same time emphasize their strength: "We will not get tired, we will not hesitate, we will not let you down."
The symbolism of the CyberTriad group is very interesting. In the central part of their logo they have an image of an unusual (black), but still very recognizable Russian matryoshka doll. Behind the matryoshka doll we see two swords – these are Islamic Zulfikars. Zulfikar is the legendary sword of Muhammad. Swords indicates the presence of Islamic ideology, or it is a typical false trail to create the impression that the group enjoys the support of Islamic fundamentalists. Of course, the inclusion of the elements I mentioned in the logo is not accidental, it is a thoughtful, perhaps partially misinforming narrative.
"Idealists" from the high road
So, the group is engaged in the fight against NATO and initiatives developed within the framework of the European consensus to assist Ukraine in the confrontation with Russia.
It begins its activity with a rather symbolic attack. This happened on May 21 during the G7 summit in Hiroshima. Then, on their page, hackers greet President Zelensky in an ironic manner, and then carry out attacks on various Japanese institutions, which has already been confirmed by the Japanese authorities. They, in particular, hack the websites of the Hiroshima Airport and the official portal of the city of Hiroshima.
Then there is an attack on Japan Rail Pass, a company in the structure of Japanese railways, which distributes free tickets and helps organize tourist trips around Japan. The hackers announced that they had managed to obtain the company's customer data. Personal information was probably transmitted by customers when they filled out applications for free tickets. Thus, the activity of hackers is not limited to blocking sites, but is typically pirated, thievish in nature.
This means that we are not dealing with the harmless entertainment of a group of young people, but with activities aimed, in particular, at collecting specific data that are valuable and useful for intelligence.
Poles should have known about the threat already in May
On May 23, hackers attack the website of the European Council in Brussels, where they gain access to a live broadcast of the meeting. They are also hacking the website of Belgian Prime Minister Alexandre de Cros and the Belgian Interior Ministry. And then they commit an action that is very similar to the one that recently took place in Poland – they block the website of the Royal Military Academy, which is the Belgian equivalent of our Academy of Military Arts. On the same day, Cyber Triad announced that it now has the data of the Academy's students at its disposal.
At this stage of their activity, it is already clear that we are dealing with a major anti-NATO crusade under the auspices of the Russian special services. Now we need to unite to protect Polish institutions that are threatened by such an attack. I am referring to various NATO representative bodies, the communication system, government agencies, organizations related to critical infrastructure.
I am sure that as part of the exchange of information between NATO bodies in different countries responsible for cybersecurity, there was an operational exchange of information about hacker attacks. This allows organizations at risk to properly prepare for them. I am sure that hackers have tried to hack the websites of many educational institutions, but they managed to do it first of all where things are bad with the exchange of information and operational interaction between competent services.
They can strike at the infrastructure
On May 31, hackers attack Bratislava. The attacks take place during the GLOBSEC forum held in this city, which is dedicated to supporting Ukraine and the European response to threats from Russia. Then the sites of the city of Bratislava and the network of parking meters are hacked, as a result of which cars were parked free of charge in the entire capital of Slovakia until 12 o'clock that day.
Further, on June 26, they take responsibility for hacking attacks in Belgium during a meeting of NATO defense ministers there. This time, parking meters in Brussels are attacked, the website of the Belgian Federal Agency for Nuclear Control is blocked, although without serious negative consequences, and then the Royal Military Academy is attacked again. As for the Academy, I think that this time the Belgians were already ready for this, and the hackers could not achieve any impressive successes there, otherwise they would certainly have boasted of them.
So, at the moment we already know that there is a group with great potential that can effectively attack the infrastructure. We also had the opportunity to make sure that NATO and Ukraine are important targets for them.
Here is a very characteristic thing: on June 26, they accuse NATO ministers of the deaths of thousands of civilians in Yugoslavia, Afghanistan and Ukraine. And who can blame NATO for the deaths of thousands of civilians in these three countries? Naturally, the tracks lead back to Russia.
Consequences of the attack on the Academy of Military Arts
On July 11, hackers struck Poland. They started with a statement that, they say, we have complaints to you about the fact that President Duda did not rule out the deployment of Polish troops in Ukraine, and therefore we are hacking the Academy of Military Arts in Warsaw.
As for this attack, the main problem here is that this university not only trains personnel of the armed forces of the Republic of Poland, but also stores all kinds of important data. The damage depends on the depth of penetration, and in this case it looks like hackers not only entered the academy's website, but also may have gained access to its servers.
Unfortunately, the personnel information is not as well protected as the elements of the computer network used to conduct various types of exercises and simulations. If they managed to get to the frames, it's bad. The Academy has the data of officers who have completed various courses to obtain the rank of majors, colonels and generals. Such information makes it possible to understand what specialty a particular officer owns, what courses he completed, what functions he can be assigned. It should be remembered that the Academy conducts training in a very wide range of specialties, including training special services employees. Such data can be very useful for foreign intelligence, which will know what this officer is doing now and what tasks he plans to solve in the future. Such information is needed by foreign intelligence services, for example, to develop a plan for recruiting an approach to such an officer or to conduct other operational activities against him.
26 identified officers
So far, hackers have posted on the Internet the names of 26 officers studying at the Academy of Military Arts, as well as some related valuable information. It is indicated, in particular, for which positions they were trained, for example, the commander or chief of staff of a tank brigade. It is also said in which areas they were preparing – operational, intelligence, related to the use of non-kinetic weapons, actions to disguise and protect troops, etc.
The fact that all this happened is very bad, because now foreign intelligence agencies have information about what a particular officer is doing, or what he is going to do. As you know, for example, a quartermaster, they do not prepare for service in intelligence. Now the main question is how much of this data has been leaked. If hackers have extracted data from the personnel department of the Academy about the service prospects of the conditional captain Novak (and the prospect can be judged by the direction of his training), who already holds a significant position in the structures of the Polish armed forces, then foreign intelligence will have time, relevant information and conditions for preparing an attempt to recruit this Novak, which may be crowned with success.
Authors: Edita Zhemlya (Edyta Żemła) Marcin Pulled Out (Marcin Wyrwał)