NATO troops stationed near the Russian border have reported that Russian hackers are targeting their smartphones to “gain operational information, gauge troop strength, and intimidate soldiers,” the Wall Street Journal said in a report Wednesday.
The report paints a disturbing picture of the current state of information warfare, long assumed to be an area where Western forces hold a decisive advantage. The sophisticated campaign waged against NATO forces in Poland and the Baltic states involved advanced ground-based equipment and aerial drones, making it much too sophisticated to be the work of civilian hackers.
An American soldier quoted by the WSJ said the intruders penetrated his phone deeply enough to geolocate him – obviously a matter of great concern for a soldier in the field – and were working on punching through the deeper layers of password protection on sensitive data on his phone. The intrusion was traced to a Russian IP address.
Other troops reported contact data was raided from their phones and, in some cases, erased by the intruders, which could be interpreted as either annoying harassment or a disturbing demonstration of what enemy cyber-espionage can do. Erasing data implies the intruders might be capable of planting false data in targeted devices, which could be devastating in a military situation.
The strangest accounts from the Wall Street Journal piece involve people who were likely Russian agents approaching military personnel in public places and disclosing personal information that was presumably gleaned from their cell phones in an obvious intimidation tactic.
“Western officials said infiltrated cell phones could be used to create confusion on the battlefield and slow NATO’s response to an invasion by sending out false instructions. A compromised phone, they said, could even be used to pick up sensitive information if a soldier brought it into a military command post,” writes the New York Post, concisely summarizing the threat.
Mindful of these dangers, commanders in the affected NATO units took severe measures to control the smartphone problem. Some soldiers were instructed to pull the SIM cards from their phones, disable location services that could be used to track their positions, and restrict Internet use to designated safe areas. Estonian troops were instructed to jump in lakes while conducting operations to ensure they are not carrying potentially compromised cell phones. The Estonians responded by wrapping their cell phones in condoms to prevent water damage.
“Russia has always sought to target NATO servicemen for intelligence exploitation. But such a campaign of harassment and intimidation is unprecedented in recent times,” Chatham House Associate Fellow Keir Giles told the Wall Street Journal.
Deutsche Welle talked with a Lithuanian Defense Ministry spokesperson who noted Lithuania has experience with fending off Russian information warfare and said Lithuanian forces are “instructed on a regular basis about national limitations and information security requirements.”
Among the precautions described by Deutsche Welle are avoiding “oversharing on social media,” since Internet-savvy adversaries can easily research opposing soldiers online and use their personal data for information warfare campaigns.
Security analyst Bruno Lete of the German Marshall Fund in Brussels proposed that the threat of cell phone hacking is “easy to neutralize by simply ordering troops not to bring their smartphones to training, operations, or other missions.” He added that Russia might want to impose a “psychological burden on troops’ morale” by sending the message that “Moscow is watching them.”
Lete added that it was unsettling to observe how thoroughly Russia has integrated “digital and cyber warfare into its conventional security and defense planning,” advising NATO to improve its own capabilities and recapture the initiative in cyber warfare. “NATO, for now, remains on the reactive side,” he warned.
A more pessimistic analysis was offered by Verizon cyber analyst Joe Shenouda, formerly a Dutch intelligence officer, who warned that, even with proper cyber warfare training, people still tend to be careless with cell phones and social media postings.
Shenouda noted the cell phone attacks described by the Wall Street Journal convey an impression of Russia aggressively sending information warfare analysts and operatives into the field to collect every scrap of data they can gather about NATO forces, rather than “sit behind their keyboards in Moscow.”
Mobile security expert John Michelsen pointed out to CNBC that mobile devices can be compromised in numerous ways, “many more than a typical desktop or server.” He mentioned one vulnerability of complex smartphones is that they often carry special applications to allow access to large computer systems, which hackers could use to penetrate those systems in unexpected ways. This calls to mind the related problem that today’s phones are so powerful and equipped with such abundant memory storage, that users might forget some of the applications they have installed.
CNBC notes that the Government Accountability Office published a report on the “numerous security risks” of Internet-capable mobile devices in July, covering everything from cutting-edge smartphones to wearable fitness devices. The potential for hackers to activate the cameras, microphones, GPS locators, and other sensors in such devices was cited as a major risk.
The Wall Street Journal notes that the Russian Defense Ministry has denied allegations that Russian hackers are targeting NATO phones.