Cyber espionage attacks by state or para-state entities are on the increase, targeting European companies. They mainly target organisations that are essential to a country’s functioning or economy.

Consequences of geopolitical instabilities

An upsurge in state and para-state attacks

Since the war in Ukraine, conflicts in cyberspace have continued to intensify and the typology of cyberattackers has diversified. More and more state actors are using traditional cybercrime methods, such as ransomware, to target private or public organisations. As a result, it is becoming increasingly difficult to identify precisely the perpetrators of these malicious activities. What’s more, the techniques used are more sophisticated and therefore more effective, as they mobilise more resources and cause more damage. In fact, the fight against cyberespionage has been made one of the ANSSI‘s main missions for 2022. Cyber espionage can affect information systems for months without being noticed by organisations.

In 2022, 150 cyber-state attacks were recorded, 77% of which involved espionage operations. In 2023, the percentage has already risen to 83% of all state cyber attacks, even though the year is not yet over.

Mainly of Chinese or Russian origin, these state and para-state espionage attacks pursue different objectives, depending on the case:

• the collection of confidential data,
• computer or physical sabotage of a critical infrastructure
• or political destabilisation.

Sensitive sectors particularly targeted by cyber espionage

Government organisations, businesses, public authorities and research institutes are among the prime targets of cyber espionage. It is from these organisations that cyber attackers can gather sensitive data linked to a nation’s economic, industrial or scientific activity. This can start by hacking into employees’ e-mail accounts to retrieve confidential information.

ANSSI recently stated that several cyber espionage attacks, targeting French companies in particular, had been carried out by the APT 28 (or Fancy Bear) hacker unit, which is close to the Russian military intelligence services. The attackers are said to have exploited several security flaws to infiltrate Outlook e-mail accounts between March 2022 and June 2023.

What are the consequences of cyber espionage?

Financial impact on businesses

Cyber espionage has a significant economic impact on companies. Firstly, the attack is generally discovered several months after the infiltration and is immediately publicised in the media. This damages the organisation’s image and leads to a loss of confidence on the part of its customers and partners. Industrial espionage can also lead to the loss of markets and the theft of data relating to the organisation’s intellectual property. All these factors can destabilise companies financially.

Damage to national interests

Moreover, spying on companies operating in critical sectors can pursue interests other than financial ones. For example, when it comes to infrastructures linked to the energy, ICT or health sectors, cyber espionage contributes to the destabilisation of a country in economic, social and even security terms.

Against a backdrop of war and the threat of terrorism, government agencies are targeting strategic sectors. In 2023, it was discovered that Mirage, a Chinese cyberthreat, had infiltrated the networks of the German Federal Agency for Cartography and Geodesy in December 2021. Although the type of information compromised is not yet known, this clearly demonstrates that these attacks can deeply corrupt a system and potentially take hold over time. 

Strengthening European cyber security is more essential than ever

With the NIS 2 or DORA Directive, Europe is now preparing to strengthen the cyber security of the most sensitive organisations, particularly in the face of cyber espionage.

State cyber-attacks also fall within the scope of national cyber-defence. Military cyber defence players are mobilising to defend the information systems of critical organisations, in order to prevent state or private organisations from being paralysed. Similarly, the DGSI contributes to cyber defence by detecting and identifying cyber interference by the state as early as possible.

The 2024 Olympic Games: a favourable context for destabilising companies

On the eve of the 2024 Olympic Games in Paris, the authorities are already warning of an “unprecedented level of risk of cyber attacks“, which could also target businesses, again with the aim of destabilising the host country.

Organisations in all essential and critical sectors need to be prepared for a potential cyber crisis. Technical cyber protection measures are expected, particularly to protect confidential communications and data. But it is also advisable to step up in-house training in good cybersecurity practices. Employees and managers are generally the first point of entry into a company’s IS in the event of cyber espionage.

The NIS2 directive: what changes for European businesses and administrations?

Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.

Economic and political risks

Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.

The hackers’ objectives may be :

• To steal money from an individual or a company
• Capture a company’s customers
• Damage the reputation of a company or a political player/party
• Set up industrial, political or military espionage
• …

An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.

Cybersecurity awareness campaigns :

Schedule regular training sessions

Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.

Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.

It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.

Using gamification

Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.

Calling on key players

For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.

Strengthening internal communication

Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.

For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.

Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.

Read more:

5 tips to secure teleworking from Julien, System and Security Admin at Tixeo

Carry out test campaigns

Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.

3 essential precautions for raising awareness of cyber security

Leveraging the diversity of our actions

Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!

Tailoring awareness-raising campaigns to specific professions

It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.

Stepping up training for teleworkers

While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.

How to avoid “zoombombing” during an online meeting?