For organisations around the globe, geopolitical tensions not only have the potential to impact daily operations, but they can also compound the threats posed by cyberattacks. From armed conflicts and elections to nation-state agendas, cyberattacks often begin with or follow these narratives. Bad actors are adept at weaponising geopolitical events to further their own agendas.

Case in point, the ongoing war in Ukraine has led to a surge in cyberattacks. These attacks target not only Ukrainian and Russian organisations but also those who support them. Similarly, the upcoming UK general election and US presidential race are expected to trigger increased cyberattacks on political campaigns and government agencies. Even seemingly distant conflicts can disrupt supply chains, critical infrastructure and digital services, underscoring the global nature of these threats. Against this backdrop, open-source intelligence (OSINT) emerges as a critical tool, offering valuable insights for understanding and mitigating both cyber threats and geopolitical risks.

Real-time OSINT and situational awareness

By monitoring and analysing real-time OSINT, organisations can greatly enhance their situational awareness of primary threats and risks. This equips them to better understand the complexities of modern cyber conflict and develop proactive defence strategies that strengthen operational resilience and response planning.

But to do so effectively, it is essential to first understand the baseline scenarios for key geopolitical risks. Baseline scenarios are the standard or expected risks for a given region, based on current knowledge and typical patterns of behaviour. Alternative scenarios are potential deviations from the expected direction of travel that might emerge as new threats, escalation or the eventuality we all hope for, normalisation of relationships and prosperous trade. This blog will delve into these scenarios for three areas of global tension where OSINT plays a crucial role: conflicts involving China, geopolitical dynamics in the Red Sea and broader Middle East, and the situation in Ukraine.

China – Cyber threat scenarios in 2024

Baseline scenario for cyber threats in China

China’s cyberattacks are predominantly focused on espionage, with threat actors primarily engaging in intelligence-gathering. Ongoing competition with the West drives these actors to conduct intellectual property theft, broad surveillance campaigns and reconnaissance into the critical infrastructure of U.S. and European businesses and government institutions.

The implications of this scenario are significant. Chinese intellectual property theft operations targeting Western companies undermines their competitiveness in several key industries. Consequently, companies operating in Chinese markets must continuously reassess the cost-benefit analysis of their partnerships with China, particularly due to the risk of intellectual property theft. Additionally, in response to Chinese espionage activities, the U.S. government may impose new restrictions on American businesses, especially concerning vulnerability reporting to the Chinese government.

Illustration of a network map of geopolitical entities appearing to form a strong connection to China. Note the grouping of disinformation, AI and the Taiwan general election appearing in the top left corner.

Alternative scenarios for cyber threats in China

There are a number of alternative scenarios that could trigger new threats and risks:

US and Taiwan enter a substantial defence agreement

If the US and Taiwan were to enter a substantial defence agreement, China might respond by launching disruptive cyber campaigns targeting various Taiwanese industries. These campaigns could involve the use of data wiper malware and data encryption malware, significantly impacting Taiwanese businesses. Additionally, Chinese cyberattacks on critical infrastructure, such as ports and government services, could disrupt access to essential municipal services, causing widespread inconvenience and instability within Taiwan.

2024 Taiwanese election results

China may escalate its regional disinformation efforts in response to the election of a pro-sovereignty government. While new Taiwanese President William Lai is unlikely to pursue formal independence, he has signalled intent to maintain the political status quo with China and is likely to expand Taiwan’s defence and economic ties with the West.

Chinese threat actors could increase hacktivist-style activities, especially during periods of heightened tension, such as official US visits to Taiwan.

This might result in more frequent website defacements and Distributed Denial of Service (DDoS) attacks targeting US and Taiwanese companies operating within Taiwan. Furthermore, Chinese information campaigns might intensify, focusing on Chinese American and other Chinese diaspora communities abroad, using intimidation tactics to propagate narratives aligned with the Chinese Communist Party.

China adopts a Russian-style, hybrid warfare strategy against the US

In a scenario where China adopts a hybrid-warfare strategy similar to Russia’s against the US, Chinese cyberattacks could expand to include financially motivated activities.

US allies in the Asia-Pacific region, such as Japan, South Korea, Taiwan, New Zealand, and Australia, might increasingly become targets of financially driven Chinese threat actors. Moreover, Chinese cyber actors could enhance their cooperation with Russian-aligned financially motivated threat actors, leading to both nations’ cybercriminals bolstering each other’s offensive capabilities.

Red Sea and broader Middle East scenarios

The current conflict in Gaza is a symptom of a much larger geopolitical struggle across the broader middle east, from Egypt in the West to Iran in the East. This conflict has wider global implications, as evidenced by civil unrest at US universities where protests over the Israel-Gaza conflict have led to the occupation of buildings and student arrests.

Illustration of a heat map showing intelligence data entities in relation to the Red Sea and Broader Middle East, Large circles represent a greater representation in the intelligence data. 

Baseline scenario for cyber threats in the Middle East

At the moment, talks continue without reaching a deal similar to the Joint Comprehensive Plan of Action (the 2015 Iran nuclear agreement) and without any sharp escalation. Iran maintains an aggressive cyber strategy in the Middle East, carrying out cyberattacks aimed at critical infrastructure and commercial activities, particularly targeting Israel, but also Saudi Arabia and the United Arab Emirates when opportunities arise.

Phishing campaigns and destructive cyberattacks designed to destroy data or sabotage networks of US, Gulf Cooperation Council (GCC) members, Israel, and Western companies operating in the Middle East remain a constant threat.

This ongoing cyber activity increases operating and cybersecurity costs for US companies with operations in the region, particularly in the oil and gas sector.

Alternative scenario for cyber threats in the Middle East

An alternative scenario is that talks break down and tensions escalate. In response to increased tensions with the US, Iran could then expand its cyberattacks against Western organisations and US partners in Middle Eastern locations, particularly targeting the oil and gas sector. This escalation would lead to a significantly higher cyber risk in the region. Iranian threat actors may attempt destructive and disruptive cyberattacks, focusing on operational technology networks and targeting large US companies, US government agencies, and US critical infrastructure.

Russia/Ukraine scenarios

Cyberattacks are a large part of Russia’s strategy in its war against Ukraine. The targeting of Ukrainian companies in Finland with a remote access trojan, identified as UAC-0184, is just one of many examples of this approach.

Illustration of heat map of the Russia/Ukraine war with respect ot cyber warfare. Larger heat symbols represent a greater cluster of intelligence data.

Baseline scenario for cyber threats in the Russia-Ukraine conflict

Russian cyber threat activity remains high, focusing primarily on disinformation and espionage rather than overtly disruptive attacks due to concerns about escalation. Russian cyber actors are prolific in targeting the West, particularly aiming to gather intelligence on Western governments and military activities related to Ukraine and sanctions policy.

While the likelihood of a major disruptive attack on Western critical infrastructure is low, Russian threat actors continue to seek ways to breach these systems. In the US elections of 2024, 2026, and 2028, Russia is expected to have limited success in weaponising synthetic content, with domestic actors posing a greater threat to election security.

Overall, Russian state-backed cyber threats are unlikely to cause significant destruction or disruption to Western critical infrastructure, and therefore are not expected to challenge NATO’s cyber threshold for triggering Article 5, which calls for collective defence if a NATO member is attacked.

Alternative scenarios for cyber threats in the Russia-Ukraine conflict

Ukraine and Russia agree to reduce hostilities

In a scenario where Russian and Ukrainian officials agree to reduce hostilities in the Russia-Ukraine war, Russian state-sponsored cyber threats may decline, but the cybercrime ecosystem flourishes. The Eastern European cybercriminal ecosystem will likely cooperate more, which will contribute to a more sophisticated threat. With the reduced likelihood of disruptive or destructive cyber incidents, cyber threats shift focus. Instead of cyber threats aiming to cause physical harm and even loss of life, threats become more targeted, striving for reputational and financial damage through information operation campaigns and financially motivated cyberattacks.

Significant Russian losses in Ukraine

In the event of substantial losses in Ukraine, Russian cyber operations could escalate, manifesting as disruptive cyberattacks masquerading as cybercrime and hacktivism.

This heightened threat level would necessitate critical infrastructure operators to pivot their cybersecurity defence models towards resilience, shifting focus from threat detection and prevention. Consequently, Russian threat actors would adopt an increasingly aggressive offensive strategy in cyberspace, leading to the development and deployment of viral, destructive data wiper malware.

NATO Russia conflict

If the Ukraine conflict escalates to a perceived NATO-Russia war, Russian cyber operations could intensify with overt backing from the Kremlin of cyber war against the West.

These increasingly disruptive cyberattacks prompt cyber insurers, following Lloyds’ lead (whose policy came into effect in March 2023), to introduce state-sponsored cyber exclusion policies, negating coverage for attacks attributed to governments.

As Russia’s offensive risk calculus heightens, Russian threat actors deploy self-replicating data wiper malware strains to propagate throughout Western supply chains, amplifying the impact of their cyber campaigns. Across regions, all the scenarios discussed above illustrate the dynamic and complex nature of cybersecurity threats and the importance of real-time OSINT for navigating them – particularly when it comes to monitoring geopolitical risks.

How Silobreaker helps

Silobreaker enables organisations to dynamically assess the threat landscape for both baseline and alternative risk scenarios. Its advanced OSINT capabilities offer insights into potential threats and the actors behind them. This real-time intelligence provides early warnings, helping organisations make informed decisions to mitigate risks.

With features like AI-powered intelligence assistance, Silobreaker streamlines the collection, aggregation, and analysis of open-source data, ensuring faster and more accurate decision-making. Clear visualisations and reports further aid decision-makers in understanding the evolving threat landscape, allowing them to prioritise and address risks more effectively.

To find out more about geopolitical threats and how real-time OSINT can enhance your organisation’s resilience, explore Silobreaker’s comprehensive intelligence solutions here.