The President of the Government, Pedro Sánchez, He met in kyiv with his Ukrainian counterpart on February 24. Over there announced aid worth 1,000 million euros per year for a decade to support the war effort of the country. Two days after the meeting, a cyber attack campaign was unleashed against Spanish institutional and business objectives that are still active. Intrusions have been claimed by Russian hacker groups and enroll in what Sánchez has called the hybrid war that Moscow holds against EU countries. “With these attacks we want to tell the Spanish government (sic) to stop supporting Ukraine. If this does not happen (sic) we will go to government websites. And also to the big companies, ”published the Russian Twonet hacker group in a Telegram group on March 3.
Among the victims who have confirmed to be or whose intrusions have been Identified by the Hacker Community Town Halls, Diputations, Councils for Autonomous Communities and Ministries such as Interior, Defense, Exterior or Inclusion, Social Security and Migration are counted. The National Cryptological Center (CCN-CERT), the General Staff of the Defense (EMAD) or the Department of National Security have also been attacked, just like La Moncloa, the Royal House, foundations such as the Royal Institute Elcano or Cidob, companies such as El Corte Inglés or Legálitas and media as a Newtral.
The mixture of objectives is not accidental: attacks on presumably little defended systems are combined, such as those of municipalities or deputations, with those of the most representative institutions of sovereign power (Moncloa, Defense, Interior or CCN). “These cyber attacks seek notoriety and create the feeling that we are unprotected,” says Marcelino Madrigal, an expert in networks and cybersecurity.
The majority of cyber attacks in the last three weeks (at least 70, according to sources consulted) are of denial of distributed service (DDOS), which consist of saturating the systems by bombing the servers with a flood of applications. “Once falling, the attackers make a screenshot as proof of their success and exhibit it as a trophy,” says Hervé Lambert, director of global operations at Panda Security.
This variety of cyber attacks, of very low technical complexity, manage to interrupt the services of the objective systems, although they do not erase data. “In general, what we have seen are specific and brief interruptions, which have not had lasting consequences in operability,” sources from the National Cybersecurity Institute (Incibe) point out.
Autonomous or coordinated groups?
At least seven groups of hackers linked to Russia have been identified as authors of the cyber attack campaign. Among the most active are Twonet or Noname057, but others have also participated, such as People’s Cyber Army of Russia, Cyber Army of Russia Reborn, Killnet or Z-Pintest. “Although it cannot be confirmed with certainty, they are probably linked to the Russian government and their interests,” says José Rosell, CEO of S2Group. It is almost impossible to attribute the origin of a cyber attack if who perpetrates it has enough technical knowledge and wants to go unnoticed. Hence, many governments resort unofficially to cyber sand to perform sabotage actions.
Little is known about Russian hacker teams involved in the campaign against Spain, beyond its self -individual delivery to a common cause (the defense of Russia’s interests) and that they communicate with each other through Telegram, the popular instant messaging application of Russian origin. They use that channel to disseminate their communiqués and aim their objectives through calls to which autonomous hackers can be added. They are operational since the war began, although in recent weeks their activity has increased significantly. “You would not have to magnify these attacks, which are rather routine. They have a high propaganda component, ”Sources from the CCN-CERT point to this newspaper.
Interestingly, these Russian hacker groups have joined others of different origin, such as Mr Hamza, of Algeria; A group Hackivist Islamist from Malaysia, Dxploit, or the Antiisraelí Group Dark Storm, which has been attributed this week a cyber attack that affected X. “I am struck that Dark Storm has intensified its activity in Spain during the last week, just when the Russian groups do. It is very difficult to know if it is by coincidence, opportunism or coordination, ”says David Arroyo Guardeño, principal researcher of the Cybersecurity group and protection of CSIC privacy.
This cocktail must be added for the pro -Russian groups located in Spain, which disseminate the communiqués of the hackers and support their work. “There are many Russian misinformation channels that are the same as the 2030 Agenda Agenda, who had participated in the tractors or that spread anti -vaccine propaganda during the pandemic. It seems clear that they are permanent cells that seek to make noise and destabilize the government, ”Madrigal adventure.
Hybrid war
“DDOS attacks are annoying, but do not produce great damage,” says Madrigal. And he adds: “These campaigns are also used to probe the level of security that a victim has for future attacks.” That is precisely one of the unknowns that surround the cyber attacks that Spain suffers: if its intensity will dissipate over time or if they are the prolegomenon of something even more to come. Overturned in recent days to argue why Spain must increase military spending, the president of the Government has registered this campaign in the so -called hybrid war that Moscow holds against a good part of the EU. “We had a cyber attack that arrived from Russia last week,” The president recognized Wednesday in Helsinki After interviewing his Finnish counterpart, Petteri Orpo. “It is important to face a trunk debate [sobre el aumento del gasto militar]”, said.
“DDOS attacks are sometimes used as smoke curtain to cover up more harmful operations,” adds Lambert. “When distracting the attention of the technicians to repair the visible fall, the attackers could take advantage of the distraction to infiltrate another way, steal sensitive data or implement malware [código malicioso] without being detected. ”
This second task, more sophisticated, would fall on another modality of hackers: the so -called advanced persistent threats (APT), equipment sponsored by countries composed of professionals with capabilities equivalent to those of secret services. “Russia has highly sophisticated military cyberspiege groups, such as APT28 (Fancy Bear) and APT29 (Cozy Bear) – of the SVR, external intelligence – that have been active in Spanish objectives,” Lambert abounds. This expert recalls that, in 2023, APT28 was accused of launching campaigns of Phishing (Supplantation of identity through fraudulent communications) against companies of the Spanish defense industry such as Navantia to steal credentials and sensitive technological data. The same group would have attacked that year internal networks of Spanish ministries, according to CNI reports. For its part, APT29 also managed to access in 2023 to cloud services of the Spanish public sector through committed emails sent from embassies.
“Recent ddos attacks in Spain have been mainly an act of low -level cyber warring and limited impact, as a reprisal visible by support for Ukraine. However, they should not be taken lightly: in addition to their propaganda and momentary disruptive effect, they can be the tip of the iceberg of a broader strategy, ”says Lambert.