Wednesday, February 28

Cyberattacks on Spain skyrocket after the Kremlin declared it a “hostile country”

Image of a computer infected with a ‘malware’, or malicious attacker. / EFE

The Government accelerates the shielding of the Administration in fear that Putin’s hackers will take a “leap” in the “harassment”

Melchor Saiz-Pardo

Over the last month, Spanish institutions and companies have suffered one of the largest waves of cyberattacks since records began. The campaign of sabotage -according to state security sources- intensified only hours after the Kremlin included Spain, along with fifty other states, on its list of “hostile countries” on March 7 for its support economic and military to Ukraine.

At the moment, the national and US intelligence services have indications that the long hand of the Russian secret services and their paid hacker groups could be behind two of the most serious incidents since the declaration of “unfriendly country”. The first is the cyberattack that Iberdrola suffered on March 15, which resulted in the theft of personal information from 1.3 million customers. According to sources from the company itself and confirmed by officials from various Spanish agencies, it was the “American authorities” who warned that this sabotage was caused by the international “critical situation”.

The second incident that government experts relate to Russia is the sabotage of the systems of the Congress of Deputies on March 24 through a “DDoS denial of service” attack, caused by the simultaneous access of many computers. A good part of the IP addresses detected were located in Siberia, the usual place for launching attacks by hackers in the pay of Russian services.

Also Read  Mother's suicide leaves her daughter searching for understanding


  • 3
    out of 5 is the level to which Defense has raised the cyberattack alert in recent days.

  • The decree of the anti-crisis plan.
    The State may skip the legal deadlines in the event of suffering a major offensive that blocks essential systems.

Specialists from the CCN (National Cryptology Center) of the CNI, the National Center for Critical Infrastructures (CNPIC), and the Cybersecurity Coordination Office (OCC) agree that, until now, and despite the volume of the offensive, the level of danger of the attacks is being “low-medium”. As if the attackers were simply “warning”.

In fact, none of the cyberattacks, according to those responsible for these departments, has had the magnitude of the sabotage of a year ago, when SEPE services were affected for weeks by an attack by the ‘Ryuk’ ransomware -data hijacker-, created in 2018 and managed by “Russian cybercriminals”. This was determined by the Spanish secret services, which linked the attack with Kremlin intelligence, especially since the attackers did not ask for a ransom to deactivate that data kidnapping program.

The Ministry of Defense also agrees that the sabotage offensive has not peaked despite the escalation of the last four weeks. In fact, the department headed by Margarita Robles has only raised the alert level for cyberattacks to 3 (on a scale of 5).

elite units

In Defense they no longer hide their fears that the Russian Government is reserving its elite units for sabotage. On March 21, in the midst of the offensive, one of the Armed Forces’ greatest experts on cyberattacks, Army Lieutenant Colonel Francisco Marín Gutiérrez, published a report in the Spanish Institute for Strategic Studies (the ‘think tank’ of Defense) in which he warned that the Russian military intelligence service (GRU), and in particular a unit called 26,165, has been focused since the mid-2000s on “exploiting vulnerabilities in networks and unauthorized access to information systems”.

Specifically, and this is reflected in the documents sent to Moncloa, the fear of the Spanish agencies is that the Kremlin will make a “qualitative leap” in its “harassment strategy” and mobilize its intelligence units and its most dangerous hacker groups (Fancy Bear and above all, Cozy Bear) in “large-scale” campaigns to “paralyze” sectors of the Administration. These reports warn that they will no longer be brief attacks, but that the objective is to enter systems for long periods of time through unknown gaps (zero-day attacks) or through external providers.

The Government believes this threat is so real that on March 30, in the macro-decree on economic measures to alleviate the effects of the war in Ukraine, it introduced a provision to allow administrations to skip legal deadlines and avoid chaos and a cascade of demands in the event that, as a “consequence of a cyber incident, the services and systems used to process the procedures are seriously affected”.

The Russian threat multiplies the State security plans

The State, with the disposition to extend the terms in case of collapse due to a large Russian cyberattack, put on the bandage before the wound, but the Executive is going further and has mobilized all its resources during the last month to try to lessen a future damage. In fact, in record time it has approved plans and protection projects that were bogged down and with little prospect of getting ahead due to the lack of budgets that until the invasion of Ukraine did not take them very seriously.

On March 30, the Government, in a hurry and encouraged by CNI experts, approved the new National Cybersecurity Plan, with an allocation of 1,200 million euros, 200 more than initially planned. Also, via royal decree, the launch of the 5G Cybersecurity Law, scheduled for the second half of this year in the Recovery, Transformation and Resilience Plan. And all this, as recognized by Vice President Nadia Calviño, to “respond adequately to the current greatest geopolitical risk.”

Just days before, Economy, by an urgent procedure and without publicity given the sensitivity of the matter, had awarded a contract of 46.4 million euros to a joint venture formed by Indra and Telefónica to start up before spring 2024 the new Cybersecurity Operations Center of the General Administration of the State and its Public Bodies (COCS), an organization that was scheduled to start operating in 2025 and that is considered key to “increasing the capacity for surveillance and detection of threats in the daily operation of its information and communications systems.

Leave a Reply

Your email address will not be published. Required fields are marked *