Cyber Incident Victim: North Atlantic Treaty Organization
Date:
Feb 2023
Location:
Belgium
Summary
A pro-Kremlin hacker group known as Killnet executed distributed denial of service attacks against NATO systems, briefly disrupting the alliance's website and communications networks during critical earthquake relief operations in Turkey and Syria. The incident affected the NATO Special Operations Headquarters website and impacted the Strategic Airlift Capability, which coordinates military and humanitarian airlifts, including transporting rescue equipment to the disaster zone. While contact with a C-17 aircraft delivering supplies remained intact, the attacks temporarily interfered with sensitive data networks used for relief coordination. Cyber security experts restored services within hours, with NATO confirming active management of the incident and characterizing it as part of routine cyber defense challenges. The hackers employ basic DDoS techniques but maintain potential for more sophisticated future attacks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On February 12, 2023, the pro-Russian hacker group Killnet launched a distributed denial-of-service (DDoS) attack targeting NATO systems involved in coordinating earthquake relief operations to Turkey and Syria. The attack disrupted NATO’s communication channels with military aircraft delivering humanitarian aid, though it did not sever contact entirely. A NATO official confirmed the incident, stating cyber experts were actively addressing it. Killnet claimed responsibility through a Telegram channel, announcing attacks on NATO without providing specifics. Among the affected entities were NATO's Special Operations Headquarters (NSHQ) website, hosted in Belgium, which experienced approximately two hours of downtime before restoration, and the Strategic Airlift Capability (SAC)—a multinational initiative reliant on NATO support for military and humanitarian airlifts.
The incident directly impacted SAC operations, including a C-17 aircraft en route to Incirlik Air Base in southern Turkey with search and rescue equipment. A SAC manager alerted the crew via the Aircraft Communications Addressing and Reporting System (ACARS) that NATO’s NR network—used for sensitive data transmissions—had been compromised. While flight operations continued, the disruption complicated relief efforts during a crisis that had already claimed over 28,000 lives. NATO emphasized its routine handling of cyber incidents and commitment to security. SAC, which had supported Ukraine in 2022 and evacuated civilians from Kabul in 2021, maintained its earthquake response activities. Western security agencies characterized Killnet as a loosely organized pro-Kremlin entity specializing in basic DDoS attacks against nations backing Ukraine, noting their typical limited duration and superficial damage. The group’s history included threats to UK hospitals in 2022, attacks on US hospital websites in January 2023, and public clashes with the Anonymous hacker collective.