On January 15, 2022, Sweden woke up to the news that drones had been spotted over at least three of our nuclear power plants. During the following days, drones were also seen over the royal palaces, parliament buildings, and critical infrastructure including water supply facilities, oil terminals, radio masts, and airports. There is no doubt, these activities have created speculation and concern. People wonder who the threat actor is and why this is happening now. Should we be afraid?
Early speculation suggested that the culprits might be nuclear power opponents, in reference to Greenpeace activities in France in 2018 when drones were deliberately crashed into a French facility to prove the site was vulnerable. In Sweden, however, nuclear power plants were not the only target.
Another theory was that ordinary amateurs had been attempting to film the beautiful northern lights visible on that windy January evening. But when the total number of sightings became known, extending from Kiruna in the north to Oskarshamn in the south of Sweden, it quickly became apparent these were coordinated activities rather than an attempt to obtain some scenic photos. The fact that the drones were not hobby drones, but fuel-powered, military-style, fixed-wing drones with a wingspan of approximately two meters, also indicates that whoever was behind this has significant resources and advanced capabilities.
Even though there is still no official explanation for who was responsible for the many drones spotted over Sweden in mid-January, and authorities are keeping an open mind, experts seem to agree on one likely scenario: these activities are connected to the deteriorating security situation in Europe. If this is proven, the most likely perpetrator would be a state actor.
Heightened Tension Between Russia and the West
The drone flights come at a time of heightened tensions between Russia and the West due to the Russian military buildup at the borders of Ukraine with possibly more than100,000 Russian soldiers, weapons, and military hardware.
In December 2021, Vladimir Putin also presented a list of demands, including a demand that Sweden, Finland, and former Soviet states never be allowed to join NATO. The list of demands also included the removal of all NATO troops and weapons from countries that joined the NATO alliance after1997, including Poland and the Balkan and Baltic countries. According to Moscow, ignoring these demands would lead to a “military-technical” response.
As a result of the tensions in Europe, Sweden recently deployed additional troops to reinforce its military presence on the Baltic island of Gotland, sending a clear signal that we are prepared to defend our territory. It is in light of these international events that we must analyze the drone flights over Sweden.
In 2014, when Russia annexed Crimea, drones were used to hit Ukrainian ammunition depots – clearly a military action. Attacking our critical infrastructure was not likely the purpose of the recent activities in Sweden. However, using hovering drones over security-classed facilities is a form of intimidation and puts a spotlight on the vulnerabilities in our society.
We were meant to observe the drones, and we were meant to feel unsecure in our own territory. Whoever this was, a probable motive was to show us that the authorities can’t protect us should there be a significant conflict involving Sweden.
What They Want Us to See – And What They Don’t Want Us to See
“The impact of hybrid warfare, as it is known, in the grey zone between peace and war represents a growing challenge. As a result, some states are using non-military force – information warfare, cyberattacks, and economic pressure, for example – to influence politics, policies, and societies of other countries.” (Strategic Outlook 8 published in 2019 by the Swedish Defense Research Agency, FOI)
The grey zone activities include demonstrations of power, subversion, information operations, threats, pressure on decision makers, cyber attacks, and espionage. Activities that might - or might not - be visible.
When it comes to espionage, the key is not visible. Whether the method used is technical intelligence as a cyber attack or human intelligence, i.e., recruiting someone on the inside – the intelligence service behind the operation doesn’t want to be exposed and strives for anonymity.
We need to understand that the activities we observe, like the drones, are merely the tip of the iceberg. We see what they want us to see because there is a purpose − or when their covert intelligence operations fail.
Spies and Lies – The Human Factor
During the last three years, there have been several reports from countries such as Sweden, Denmark, Norway, Germany, the Netherlands, Italy, and so on, where spies have been arrested. Russian intelligence officers recruited people with access to sensitive information or systems.
This shows us that human intelligence is a method still in use. Recruiting spies, or “insiders,” is still one of the many tools in the intelligence toolbox and not just something that took place during the Cold War.
We believe that we will see more of this in the future. As we are getting better at protecting our data and systems technically, it is becoming more difficult for an attacker to create access from a distance via, for example, a cyber attack. The logical next step for state actors and criminal hacker organizations is to combine technical intelligence with human intelligence.
Humans are the weakest link when it comes to cybersecurity or any security. We are the ones handling the information and the systems, and we are the ones that sometimes make an honest mistake – or even choose to.
While recruited spies are aware of what they are doing, at least most of the time, there are other ways of taking advantage of people with access – without their knowledge.
Social engineering, or human hacking, is about manipulating people to give away small but essential pieces of information that they shouldn’t. Or it might make them click on a link or insert a USB memory stick because they believe it’s the right thing to do. Social engineers use convincing lies to take advantage of our wish to be polite and helpful, as well as our naivety.
Our naivety is our Achilles heel; therefore, awareness is the most crucial countermeasure to prevent an antagonist from taking advantage of the human factor. We must strive to create awareness within companies, organizations, and authorities regarding grey zone activities, technical and human intelligence, and social engineering. Employees who are aware are less naive, and when we are less naive, we are stronger.
Summary and Key Take-Aways
- State actors use grey zone activities to influence and put pressure on us. What we see is often what they want us to see.
- The cyber threat landscape has changed, and today’s methods are not exclusively technical or human but a hybrid of both.
- There are things we can do to prevent espionage and data breaches. Besides proper technical security – awareness training and insider prevention are two of the more critical and powerful countermeasures.
Truesec Human Threat Intelligence
Truesec’s mission is to help our clients prevent and minimize the impact of a data breach. We have been dedicated to this since the very beginning and still are − whether the antagonist is a state actor or a criminal organization. However, we firmly believe that the cyber threat landscape has changed, that the methods used today are not exclusively technical or human; instead, they are a hybrid of both. We need to think and act differently to counter these new hybridized threats.
Therefore, in May 2021, we introduced Truesec Human Threat Intelligence, which focuses on the human factor in cybersecurity. We work with insider prevention, implementation of recruitment processes, and security vetting. We also help create a sound security culture to ensure employees understand that they are essential. Cliché or not, a chain is no stronger than its weakest link, and awareness is key.
According to us - Human Threat Intelligence is the final piece that needs to be in place to prevent a data breach. It doesn’t matter how strong the technical security solutions are if the threat comes from the inside.