An Old Conflict and a New Way of War

As the decades-old Nagorno-Karabakh conflict flares up, we are being given a glimpse of the future of war.

By Michael Cruickshank

On the 28th of September 2020, two very different Azerbaijani aircraft took to the skies above Nagorno-Karabakh. One was a Soviet-made Antonov An-2 propeller biplane designed in the 1940s. The other was a Turkish-built Bayraktar TB2 drone first used in Syria in 2018. The An-2 was shot down by an anti-aircraft missile, crashing to the ground in a ball of flame. The TB2 drones continued to strike several armored vehicles and anti-air systems with apparent ease.

In many ways, this juxtaposition of the old and the new illustrates the strange dichotomy at the heart of this war. Even though this conflict has its roots in over a century of ethnic animosity, and decades of ‘frozen’ conflict, the last few days of all-out war have shown a remarkably modern way of fighting. In fact, the specifics of this conflict open a window to the way in which wars will be fought in the coming decade.

Nagorno Karabakh has been scarred through decades of fighting. 
Image: Michael Cruickshank.

Nagorno-Karabakh (or Artsakh as it is known in Armenia) is a mountainous region in the Southern Caucasus. Populated by ethnic Armenians for centuries, it operates as an unrecognized state within de-jure Azerbaijani borders. During the collapse of the Soviet Union, the ethnic Armenian majority of the Nagorno-Karabakh Autonomous Oblast (NKAO) voted in a referendum to join Armenia (Avakian, 2005). Mounting ethnic unrest eventually drew in the newly independent state of Armenia which fought a war with Azerbaijan in the early 1990s (International Crisis Group, 2019). When a ceasefire was declared in 1994, Armenia, and the Nagorno-Karabakh Defense Army, had effectively defeated Azerbaijan and occupied significant portions of the country beyond the original borders of the NKAO.

Over the next three decades, the ceasefire largely held, with only sporadic fighting. During this period, however, Azerbaijan grew wealthy due to its hydrocarbon exports and rearmed, buying modern military equipment from traditional suppliers like Russia but also Israel and Turkey. In 2016, it made an abortive attempt to retake part of Nagorno-Karabakh – known as the Four Day War. However little progress was made before international pressure stopped the conflict (International Crisis Group, 2019). This year, the situation deteriorated, with a brief skirmish between the two sides in July, followed by increased support by Turkey for Azerbaijan and worrying indications of a military build-up. Then, in the early hours of the 27th of September, the region was rocked by the first strikes of what would become a near-full-scale war between the two countries.

Unmanned and Unchecked

Over the three and a half decades since the conclusion of the first Nagorno-Karabakh War in 1994, many facts on the ground have changed, and new technologies and methods of fighting have gained traction. The most important of these is the use of armed drones (also known as Unmanned Combat Aerial Vehicles, or UCAVs) as part of tactical military operations. Deployed first by the US in the 1990s, armed drones were primarily used for assassination campaigns and irregular, low-intensity strikes (Zwijnenburg and Jansen, 2020). Despite this, innovations in the role of UCAVs were not driven by the US, but rather by Middle Eastern actors. In the Battle of Mosul, ISIS first deployed swarms of armed drones to significant psychological effect (Rassler, 2018). Later, in northern Syria, Turkey began using its indigenously manufactured Bayraktar and Anka drones to support its ground troops against the US-backed Syrian Democratic Forces (SDF) and forces aligned with the regime of Bashar al-Assad (Crino and Dreby, 2020). These tactics were then applied in Libya to support the Tripoli-based Government of National Accord (GNA) (Rakesh, 2020). In every instance that these drones were used, they proved to be highly effective, rendering many anti-aircraft systems obsolete, and rapidly changing ‘facts on the ground’.

Such tactics now appear to have been exported from Turkey to its close ally Azerbaijan, alongside the drones themselves. The Azerbaijani Ministry of Defence (MoD) released multiple videos of its drones striking apparently defenceless Armenian positions, taking out armoured vehicles, artillery equipment, and anti-aircraft systems with precision-guided munitions while terrified Armenian troops ran for cover. Such is the concentration of UCAV use in this conflict, that in one of these Azerbaijani MoD videos, taken from a Turkish-made Bayraktar TB2 drone, another Israeli-manufactured Orbiter 1K ‘kamikaze drone’ uninvolved in the strike can be seen flying across the frame (Azerbaijani Ministry of Defence, 2020). While it remains to be seen if the use of drones will play a decisive role in this conflict, given the massively favourable terrain advantage Armenia enjoys, it is probable that the recent acquisition of these systems played a hand in the Azerbaijani government’s decision to re-intensify the conflict and attempt to reclaim its lost territories.

Notably, this is the first time UCAVs have been used in battle between two near-parity state actors. The fact that these systems are inexpensive, viable, and near unassailable by relatively modern anti-aircraft systems will likely lead to a flood of nations rushing to acquire such systems. Taken alongside the fact that their use appears to have lower political risk for the aggressor (Zwijnenburg and Jansen, 2020), it is likely that UCAVs will be a staple of future conflicts in the coming years.

The aftermath of an Azerbaijani drone strike on an Armenian / NKR position. Image: Azerbaijan Ministry of Defense. 

War Outsourced

Another disturbing feature of this war is the use of quasi-state mercenary forces. Several weeks before the fighting in Nagorno Karabakh, rumours on social media suggested that Turkish-backed Syrian militants were being transferred to Azerbaijan. At the time these were dismissed as the figments of an overactive imagination. Such fighters (members of the so-called ‘Syrian National Army’ (SNA)) were first deployed against the SDF in northern Syria, before later being sent to fight in Libya on behalf of the GNA (McKernan and Akoush, 2020). However, it was viewed as unlikely that these Sunni fighters would be used to support the government of Shia Azerbaijan.

Nonetheless, at least some of these fighters were certainly transferred to Azerbaijan. Since the beginning of the war, several journalists and researchers have revealed that “hundreds” of former SNA fighters are in Azerbaijan, having been offered $2000 a month by recruiters for what they were told would be non-combat guard duty (Ibrahim, 2020). Despite these promises, the fighters confirm that they were sent to the front lines, where several are reported to have been killed (Ibrahim, 2020).

Much as Turkey’s Bayraktar drones made their way first to Syria and then to Libya before finally reaching Azerbaijan, the country’s proxy forces too have followed Turkey’s foreign policy whims from warzone to warzone. While the individual combat effectiveness of these irregular troops is debatable, they have proved useful when deployed simply to shore up existing state militaries. That other countries are following the same model is a testament to this fact. Russia has deployed the quasi-state mercenary outfit known as Wagner Group to a wide range of conflict zones around the world, first in Ukraine and then Syria, Libya, the Central African Republic and Mozambique (Cafiero, 2020). The Wagner Group has not enjoyed the same success on the ground as Turkish-backed mercenaries. However, its continued use by the Russian state shows that the combination of (somewhat) plausible deniability, reduced political fallout, and low cost remain an attractive proposition. Going forward it is highly likely that the use of these quasi-state mercenaries will proliferate over the coming decade, especially in low-intensity conflicts.

Distracted and Disinterested

The outbreak of war in Nagorno-Karabakh has been attributed primarily to political factors, most notably a massive shift in the level of political and material support from Turkey (Nersisyan and Melkonyan, 2020). But another issue looms behind this, allowing the conflict to continue and escalate — global distraction and disinterest.

Much has been written about the transition to a multi-polar world, often with the warning that this shift would bring a greater threat of state conflict. In Karabakh, we are seeing evidence of this trend, with no great power, or multilateral bloc apparently willing to end the fighting. The geopolitics of the region partially explains this neglect. On the fringes of former-Soviet space, the region is far from the attention of major powers like China, the EU, and the US. Even the long-time hegemon in the region, Russia, appears unwilling (so-far) to get involved in a meaningful way, despite nominally being the guarantor of Armenia’s security. The only significant power which appears to be interested in the result of the conflict, Turkey, is instead playing an escalatory role.

One likely explanation for this indifference is that the major powers of the world are highly distracted. The most visible and far-reaching cause of this distraction is of course the coronavirus pandemic, but other events are also involved (Euronews, 2020). The U.S. is grappling with months of violent political unrest, tensions with China and Iran, devastating natural disasters, a divisive election season, and a president suffering from COVID-19. China has no interest in risking its rapidly eroding international standing in the wake of the pandemic and deadly clashes with India in the Himalayas. Finally, Russia is distracted by a political crisis in Belarus, a country with significantly more geostrategic importance to it than Nagorno-Karabakh.

While the argument could be made that these circumstances are unique and unlikely to happen again, the opposite might also be true. Indeed, data shows that political unrest around the world spiked following the Arab Spring in 2011, and has remained high since then (Ianchovichina et al., 2020), suggesting a new stable state of global instability. Climate change is supercharging natural disasters – an ever-intensifying process causing countries to focus their limited resources domestically (Van Schaik et al. 2020). Finally, an increasingly isolationist U.S. is creating a power vacuum, leaving the world without a powerful and willing global player that can apply decisive political or military power to end conflicts (Jennen et al., 2020). Taken together, this state of global distraction and disinterest may, in-fact, characterise the norm for conflicts going forward.

To summarise, what we are seeing in Nagorno-Karabakh is not just the revival of an old conflict, but also something new. Beyond the tragedy of the war itself, the first major state-on-state conflict of this decade should be viewed as a harbinger of what is to come. The effective and overwhelming use of armed drones and the deployment of quasi-state mercenary forces are likely to become the norm, especially in low-intensity conflicts in the developing world. The failure of international actors to apply de-escalatory political pressure due to distraction is also likely to be an increasingly common occurrence. Policymakers would do well to pay attention to these developments and the more dangerous world they create.


Avakian, Shahen. Nagorno Karabakh Legal Aspects . German-Armenian Society (DAG), 2005. German-Armenian Society (DAG) , 2005.pdf. Accessed September 30, 2020.

Azerbaijan Ministry of Defense. “Düşmənin artilleriya qurğularının məhv edilməsinin videogörüntüləri.” YouTube , October 1, 2020, Accessed October 1, 2020.

Cafiero, Giorgio. “The Wagner Group’s Presence in Africa and Beyond.” Inside Arabia , 31 January 2020, Accessed October 2, 2020.

Crino, Scott, and Andy Dreby. “Turkey’s Drone War in Syria – A Red Team View.” Small Wars Journal , April 16, 2020, Accessed September 30, 2020.

Euronews. “Nagorno-Karabakh: Why has there been a flare-up of violence between Armenian and Azerbaijani forces?” Euronews , 30 September 2020, Accessed September 30, 2020.

Ianchovichina, Elena, et al. “Why are people protesting?” Brookings Institute , January 29, 2020, Accessed October 1, 2020.

Ibrahim, Muhammad. “أرمينيا وأذربيجان: بي بي سي عربي تحاور مقاتلا سوريا على خط النار بين البلدين.” BBC Arabic , September 30, 2020, Accessed September 30, 2020.

International Crisis Group. Digging out of Deadlock in Nagorno-Karabakh . International Crisis Group, 2019. International Crisis Group , Accessed September 30, 2020.

Jennen, Birgit, et al. “Trump Has Created ‘Worldwide Vacuum,’ Says Germany’s Top Diplomat.” Bloomberg , 13 June 2018, Accessed October 2, 2020.

McKernan, Bethan, and Hussein Akoush. “2,000 Syrian fighters deployed to Libya to support government.” The Guardian , January 15, 2020, Accessed September 30, 2020.

Nersisyan, Leonid, and Sergey Melkonyan. “The causes and consequences of the outbreak of a new war in Nagorno-Karabakh.” New Europe , October 2, 2020, Accessed October 2, 2020.

Rakesh, Aishwarya. “Turkish Drones in Libya, EW Systems in Syria” Game-Changing “: UK Defense Secretary.” Defense World , July 15, 2020, Accessed October 1, 2020.

Rassler, Don. The Islamic State and Drones: Supply, Scale and Future Threats . Combating Terrorism Center at West Point, 2018. Combating Terrorism Center , Accessed October 1, 2020.

van Schaik, Louise, et al. Ready for take-off? Military responses to climate change . Planetary Security Initiative, 2020. Planetary Security Initiative , Accessed October 1, 2020.

Zwijnenburg, Wim, and Alies Jansen. Violent Skies . PAX for Peace, 2020. PAX for Peace , Accessed October 1, 2020.

Cost escalation and Technological Innovation in the Defence Sector

The problem of the affordability in military equipment acquisition is not unknown. In 1983, Norman Augustine, a CEO of U.S. defence contractor Lockheed Martin, noted that the falling of real prices associated with the electronic industry did not carry over into the defence equipment market. Augustine observed that the cost of fighter aircraft was exponentially increasing and predicted that by 2054 the U.S. defence budget would permit only the purchase of one aircraft to the exclusion of all other defence equipment (Davies et. al, 2012). Equipment acquisition has indeed become more and more affected by unsustainable cost escalation: new generations of defence equipment, such as tanks or fighter aircrafts, have shown increasing cost is well above the consumer price indices on an annualised basis (Davies et al. 2011). Cost escalation poses a substantial reduction in the buying power of the armed forces, representing a considerable problem for nations, especially the smallest ones, in most of the cases leading to military capability as well as technological gaps. Therefore, it is of primary importance for us to think about cost escalation as strictly related to technological innovation in the military industry.

What we know so far. Existing literature shows that increasing prices have been subject of concern in several countries and many scholars have been investigating what are the main driving forces of this phenomenon (Arena et al. 2008; Kirkpatrick 1997; Pugh 2007), most of them concluding that cost escalation for complex defence equipment is primarily led by the arms race between nations. Starting from the late ‘60s, Marshall and Meckling concentrate on the analysis of cost growth during the whole process of weapons procurement, and during the ‘80s and ‘90s several other studies, such as those by Deitchman (1979), Kirkpatrick (1983 and 1995), Pugh (1986, 1993 and 2007) and later by Davies et al. (2011) draw attention on cost escalation in the long-period, thus between generations of weapons systems. A particularly important insight is offered by Kirkpatrick (1995), who demonstrates how the unit cost increase between one generation of equipment and its successor is due to developments in the perceived threat, available technology and industrial productivity. Bolten et al. (2008) research the sources of cost increases tracking thirty-five mature U.S. defence procurement programmes, finding out that cost growth is generated for the 40% in the concept development phase only for the 4% in the procurement phase. Finally, Hove and Lillekvelland (2015) investigate defence investment cost escalation proposing both a clear distinction between intra- and intergenerational Investment Cost Escalation (ICE) and a revision of the estimates.

Advocating for changes. A still unanswered question is “How can we achieve the development of affordable military equipment in the future?” Despite I am not pretending to have the correct answer to this puzzle, I want to propose an interesting point of view, suggested by Amann et al. (2019) that accounts for the very moment of generation of preliminary concept for complex defence equipment: changes in the way affordability is managed in the military industry is the very first step towards curbing cost escalation. Future changes in management could allow the achievement of better strategies of development for more affordable equipment.

A closer look. Let’s dive deeper in the concept of cost escalation and consider the fundamental factors that determine any defence procurement strategy: first of all, the long-standing logic that the performance of the equipment used plays a crucial role in determining winners and losers in a conflict; second, the maximization of utility obtainable from the entire range of equipment, accounting for limited funds; and last but not least, the utility of a defence good that derives from its effect relative to equipment of adversaries – or potential ones. In short, equipment “is good or bad only in relation to what possessed by a potential/actual adversary. The benefits of improved armament are largely those of devaluing existing equipment, especially that of the adversary” (Pugh, 1986). It is clear then, that cost escalation occurs when new generation of weapon systems are purchased as a response to a changing security environment. However, this is just one of the multiple factors that contribute to magnify this phenomenon, and when trying to deal with affordability problems we have to account for many others, such as the imperfectly competitive structure of the defence market, the relative value of the military equipment – which has to be superior to those of rivals – the continuous fight for the acquisition of cutting-edge equipment, and preferential arrangements in favour of national industries.

Intergenerational cost growth. The economic theory considers defence equipment as a tournament good, and in order to maintain military superiority, it needs to be always at the cutting-edge of what is technologically possible, as well as superior to that of potential adversaries. On the basis of that, some scholars, such as Davies et al. (2012) argue that much of the cost escalation can be explained by the change in the specified characteristics of each generational platform. We define the intergenerational cost growth as the change in cost between one platform of military equipment and the next generation of a similar platform: as we can easily deduce, the latter is expected to be more technologically advanced or with improved capacity. Now, how does affordability connect to this? Affordability is generally understood as being the ability to bear the cost of something. In the defence sector, a more technical definition is proposed by Walden et al. (2009): affordability is “the balance of systems performance, cost and schedule constraints over the system life while satisfying mission needs in concert with strategic investment and organizational needs.” But for the purpose of my article, we can leave it aside and rather focus on the fundamental factors that affect affordability, namely competition, price, Whole Life Cycle Cost (WLCC) from the concept stage to disposal, budget, performance, perceived quality and technological innovation. The latter deserves particular attention when trying to explain the causes of cost escalation.

It is all about innovation. As I said, technological progress plays a crucial role both in determining defence equipment concept design and in inflating equipment real cost. The development and subsequent introduction on new technologies affects all spheres of our age, we can easily see that in our everyday life experience, where it seems to (over)simplify our daily routines. However, when it comes to the defence sector it poses the problem of the acquisition of tactical advantages that are short lived: that means relative capabilities remain approximately constant as opponents acquire rapidly similar technology. Innovation, the ability of exploiting resources in different ways and new and new combinations (Schumpeter, 2017), is what makes the real difference between winners and losers. Warfare is constantly subject to technological progress: as correctly pointed out by Dombrowski and Gholz (2009), “the ways that nation-states fight and prepare for war should change if global society undergoes a revolution in technology and organization.” As for the defence industry, the doctrine of warfare has to adapt to post-modern changes and to the emerging information society.

Military industry transformation. It is not easy to define this concept, however, a good starting point is represented by two key relationships that stand at the basis of military transformation: the first is the one between military’s demand for innovation and the defence industry, while the second is the one between the defence industrial sector and the military’s ability to transform. The debate concerning technological progress in this sector seems to emphasize the idea of network-centric warfare (NCW), as it exploits technologies to shift from the traditional platform-centric operations to more advanced network-centric operations. Advocates of the NCW believe that most of the changes are required in military communications more than in any other area of technology: a decentralized network of forces sharing information would engage targets more efficiently, with better precision and from greater distances. But what are the real benefits of NCW operations? I want to list at least four of them mentioned by Dombrowski et al. (2002): increased speed of command, self-synchronization, advanced targeting and greater tactical stability.

What incentives to innovate? Technological innovation and transformation cannot take place unless appropriate incentives are given to the defence industry: these include setting technological and programmatic priorities, coherent doctrinal and operational requirements, receiving analytic support from systems integration/technical advisory organizations, and giving contractual and financial incentives for undertaking investments in innovative programs (Dombrowski et al., 2002). Unfortunately, combining the creation of affordable concepts with the use of cutting-edge technology is not an easy task for the military industry. Among the possible solutions proposed by scholars and experts, I consider the setting of cost targets by offsetting costs in a consistently defined tradespace, starting from the concept generation process, the most promising one. Clearly, further research on the topic is needed, but the balancing of resources, technologies and systems is an initial step in our path towards affordability.

To conclude. Above average cost growth is a persisting and universal phenomenon that affects a large variety of military equipment. The problem of cost escalation in the complex defence equipment procurement and of the military capability gap among nations generated from it has long been discussed. As the concept of affordability is tightly related to that of technology innovation in and transformation of the defence industry, new solutions for balancing the two have to be found both on the economic and political level.


Amann, D., Kihlander I., Magnusson, M., 2019. Affordability Aspects in the Development of Defence Equipment: Case Studies of Concept Generation in the Defence Industry, Integrated Product Development, KTH Royal Institute of Technology, Stockholm, Sweden; Department of Military Studies, Swedish Defence University, Stockholm, Sweden.

Arena, M., Blickstein, I., Grammich, C. A., Younossi, O., 2006. ‘Why Has the Cost of Navy Ships Risen?: A Macroscopic Examination of the Trends in US Naval Ship Costs Over the Past Several Decades’, RAND.

Arena, M. et al., 2008. ‘Why Has the Cost of Aircraft Risen? A Macroscopic Examination of the Trends in US Aircraft Costs Over the Past Several Decades’, RAND.

Bankole, O., Roy, R., Shehab, E., Wardle, P., 2009. Affordability Assessment of Industrial Product-Service System in the Aerospace Defence Industry, Cranfield University.

Davies, N., Eager, A., Maier, M., Penfold L., 2012. Intergenerational Equipment Cost Escalation, Defence Economics Research Paper.

Dombrowski, P., Gholz, E., 2009. Identifying Disruptive Innovation: Innovation Theory and the Defence Industry.

Dombrowski, P., Gholz, E., 2006. Buying Military Transformation: Technological Innovation and the Defence Industry, Columbia University Press.

Dombrowski, P., Gholz, E., Ross, A. L., 2002. Selling Military Transformation: the Defence Industry and Innovation, Foreign Policy Research Institute.

Hartley, K., 2016. UK Defence Inflation and Cost Escalation, Defence and Peace Economics, Vol. 27(2).

Hove, K., Lillekvelland, T., 2015. Defence Investment Cost Escalation – A Refinement of Concepts and Revised Estimates, Norwegian Defence Research Establishment (FFI) rapport 2014/02318.

Kirkpatrick, D. L. I., 1995. The Rising Unit Cost of Defence Equipment — The Reasons and the Results, Defence and Peace Economics, Vol. 6(4).

Kirkpatrick, D. L. I., 1997. The Affordability of Defence Equipment, The RUSI Journal, Vol. 142(3).

Kolko, G., 2009. Technology and the Future of Warfare, in World in Crisis: The End of the American Century, Pluto Press.

Pugh, P. G., 2004. Concept Costing for Defence Projects: the Problem and its Solution, Defence and Peace Economics, Vol. 15(1).

Schumpeter, J., 2017. The Theory of Economic Development, Routledge.

The COVID-19 Cyber Dystopia

How cyberciminals profit from a pandemic

This essay investigates how state-sponsored hacker groups and threat actors are using the global disruptions caused by COVID-19 to further their cyber threat activities. This research is targeted towards those who would like to understand the technical cybersecurity threats that have emerged from the spread of COVID-19.

While countries are in lockdown and a global economic recession is looming, healthcare workers are fighting against the Covid-19 virus. Yet, another war is raging in the cyber sphere. The current pandemic is not only a test of states’ and businesses’ readiness to respond to the crisis on all fronts, but also a challenge to identify and manage the exponential increase in cyber-attacks worldwide. To reduce the spread of the virus we are asked to stay home and abide by social distancing recommendations. Such limitations imposed on public life along with the decreased flow of goods and people’s mobility has urged many employers to allow remote connections to their organizations’ networks.  As a consequence, the number of threat indicators linked to the Coronavirus pandemic has increased by 600% since February[1] illustrating that hackers are working tirelessly to leverage this climate of uncertainty and fear to wreak havoc and pursue their political and financial goals. To illustrate the damage that cybercriminals inflict on the economy, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021,[2] and Europol’s research confirms that cybercrime and fraud have become even more profitable owing to the exploitation of the current situation.[3] If these estimates are correct, the pandemic would help cybercrime become more profitable than the global trade of all major illegal drugs combined.[4]

To provide a breakdown, threat actors are relying primarily on social engineering attacks, in particular phishing emails through spam campaigns and targeted attacks, such as business email compromise (BEC). Malware such as Trickbot, RemcosRAT, FormBook, Agent Tesla, and Lokibot[5] are injected on the infected devices via malicious links and attachments containing, for instance, information about COVID-19. Cybercriminals show no ethical boundaries and will continue to attack wherever there could be a vulnerability. As an example, hackers successfully lured users to open attachments from trusted organizations such as the U.S. Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO), as well as country-specific health agencies such as China’s Ministry of Health.[6] The attack on the WHO is thought to have been carried out by the APT DarkHotel[7] that has been involved in cybercrime and espionage for over a decade.  Additionally, on 2nd April 2020 Reuters disclosed an investigation reporting that hackers tied to the Iranian government attempted to steal personal email accounts credentials of WHO staff.[8] In times of a global pandemic targeting institutions such as the WHO and Ministries of Health, which play a vital role in relaying relevant information on limiting the spread of the coronavirus pandemic, could potentially not only put lives at risk but also extend the duration of the crisis.

Cyber criminals are successfully capitalising on the anxieties and fears of citizens worldwide during this crisis period characterized by high uncertainty and chaos. For example, at least two European Member States have reported on several scams on alcohol gels or medical equipment being purchased online for hundreds of thousands of euros and not being delivered.[9] It is safe to assume that similar schemes will happen over the next weeks and months since the pandemic will hit more and more countries and businesses. Large-scale cyber-attacks could also target critical infrastructure and have serious repercussion for societies, rendering States even more vulnerable. In fact, this scenario has already unfolded on 12 March 2020 in the Czech Republic where cybercriminals carried out cyber-attacks on the Brno University Hospital which forced the facility to shut down its IT network and postpone critical interventions on patients amid the COVID-19 outbreak.[10] These kinds of attacks are particularly threatening due to the risk of loss of life, and therefore raise serious concerns during the public health crisis we are facing.

Tying hacking campaigns to specific entities or countries is often fraught with uncertainty. However, over the past two months, state-sponsored hacker groups from China, North Korea, and Russia have been especially active in using coronavirus-based phishing baits as part of their efforts to induce victims to download malware on their devices and gain access to their infrastructure. To aggravate matters, hackers can cause considerable damage by spreading fake news to create panic and confusion. This happened for example in Ukraine where the security research team @reddrip7 suspects that the Hades APT concealed a backdoor trojan in emails coming from the Center of Public Health of the Ministry of Health of Ukraine.[11] Hades is believed to be tied to the Russian hacker group APT28 (Fancy Bear), and the emails contained false information regarding an increase in infected patients on the same day a plane carrying evacuees from China arrived. As one of those emails went viral, panic and violent riots sparked in the country.[12] This example shows how malicious actors can easily create chaos with a few malware-laced emails because the pandemic environment allows them to maximize their results by exploiting fear and uncertainty.  It further underscores, as never before, that highly sophisticated attacks by cybercriminals and state-sponsored hackers can sabotage and destroy interdependent systems from a distance with devastating consequences.

It is also suspected that North Korean hackers have recently weaponised spear-phishing lures, and the cyber security firm IssueMakersLab observed a malicious document dropping the North Korean BabyShark malware claiming to contain information on South Korea’s response to the virus.[13] This malware strain has been previously utilized by a North Korean hacker group known as Kimsuky. If States continue to be unchecked in their freedom to exploit the pandemic to pursue their financial and political gains, then victims of such attacks could be on a trajectory for even more virulent and destructive attacks than in normal times.

In a recent report, FireEye Inc. investigated how the hacking group APT41 took advantage of the recently disclosed flaws in software developed by Cisco, Citrix and others to try to break into scores of companies’ networks in the United States, Canada, Britain, Mexico, Saudi Arabia, Singapore and more than a dozen other countries. The group has built a reputation in cybercrime and state-sponsored espionage since at least 2012 and the FireEye report said that APT41 conducted “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”[14]  Hacker groups have also used legitimate statements by political leaders with advice and statistics on the spread of COVID-19. For example, the group MUSTANG PANDA, which is believed to be Chinese, tricked their victims into clicking on attachments containing statements from the Vietnamese Prime Minister Nguyen Xuan Phuc sharing prevention measures against COVID-19.  In reality, a malicious script is executed on the infected device.[15]        

Authoritarian States could also weaponize COVID-19 by deliberately spying on their citizens. For example, in March 2020 Google removed an Android app developed by the Iranian government from its Play Store because instead of just keeping track of the spread of the disease and informing citizens, several users claimed that this application called ac19.apk was in reality spyware as it collected phone numbers and stored real time geo-localization data.[16]

Businesses and individuals will need to reinforce their security measures and are advised to double-check the authenticity of any incoming messages, emails or phone calls. Further they are advised to be particularly prudent when someone is trying to extract any data in an emergency, pretending there is no time to convincingly explain the context. Several resources are available to citizens and companies; for example, Europol published several guidelines on best practices for home-office which are available in several languages.[17] Similarly, ENISA shared an additional set of useful teleworking tips.[18] Criminal justice institutions will also need to enhance their capability to detect, investigate, attribute and prosecute threat actors. INTERPOL issued the COVID-19 Guidelines for Law Enforcement[19] for criminal justice practitioners. However, given that we find ourselves in uncharted territories, extraordinary measures will need to be adopted to allow better cooperation between the competent agencies to limit the harm caused by the virus and the malicious actors exploiting it. To address those challenges, cyber security experts from more than 40 countries formed the COVID-19 CTI League. One of the initiators of the effort, Marc Rogers, said that the immediate priority is to prevent hacks against medical facilities.[20]

In our hyper-connected digital world, cybercrime is a highly profitable venture and attacks are likely to become more frequent and more sophisticated in the following weeks as the pandemic continues to cast a shadow over the global economy. Lastly, it cannot be over-emphasized that early detection of cyber threats coupled with timely threat intelligence could increase businesses’ resilience and equip them with the right tools to come out as winners in the aftermath of the COVID-19 crisis in cyberspace.


[1] Cyfirma, Corona virus in cyberspace. (2020, March 19). Retrived from

[2] Cybercrimemag. (2018, December 9). Cybercrime Damages $6 Trillion by 2021. Retrieved from

[3] Pandemic profiteering: how criminals exploit the COVID-19 crisis. (2020, March 27). Retrieved from

[4] Periman, K., Da-Costa, F., & Financial Services. (2019, March 22). How to Prevent the Bank Robbery No One Can See. Retrieved from

[5] Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from

[6] Ibidem

[7] Winder, D. (2020, March 25). ‘Elite Hackers’ Thought Behind Cyber Attack On World Health Organization. Retrieved from

[8] Menn, J. (2020, April 2). Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus – sources. Retrieved from

[9] Ibidiem

[10] Cimpanu, C. (2020, March 13). Czech hospital hit by cyberattack while in the midst of a COVID-19 outbreak. Retrieved from

[11] Technical Twitter of QiAnXin Technology, (2020, February 21). Attacks pretend to be from the Center for Public Health of the Ministry of Health of Ukraine and deliver bait document containing the latest news regarding #COVID-19. A backdoor written in C# gets dropped by malicious macro code to perform remote control. Retrieved from

[12] Miller, C. (2020, February 27). A Viral Email About Coronavirus Had People Smashing Buses And Blocking Hospitals. Retrieved from

[13] IssueMakersLab. (2020, February 27). North Korea’s BabyShark malware has been found in the form of document on South Korea’s response to COVID-19. Retrieved from

[14] Glyer, C. (2020, March 25). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved from

[15] Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from

[16] Cimpanu, C. (2020, March 9). Spying concerns raised over Iran’s official COVID-19 detection app. Retrieved from

[17] Staying safe during COVID-19: what you need to know. (2020, April 3). Retrieved from

[18] Tips for cybersecurity when working from home. (2020, March 24). Retrieved from

[19] INTERPOL issues international guidelines to support law enforcement response to COVID-19. (n.d.). Retrieved from

[20] Menn, J. (2020, March 26). Cybersecurity experts come together to fight coronavirus-related hacking. Retrieved from

Cybercrimemag. (2018, December 9). Cybercrime Damages $6 Trillion by 2021. Retrieved from

Periman, K., Da-Costa, F., & Financial Services. (2019, March 22). How to Prevent the Bank Robbery No One Can See. Retrieved from

Cyfirma, Corona virus in cyberspace. (2020, March 19). Retrived from

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from

Winder, D. (2020, March 25). ‘Elite Hackers’ Thought Behind Cyber Attack On World Health Organization. Retrieved from

Menn, J. (2020, April 2). Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus – sources. Retrieved from

Council of Europe. (2020, April 1). Cybercrime and COVID-19. Retrieved from

Cisomag. (2020, March 18). CYFIRMA says Coronavirus pandemic has impact on cyberspace. Retrieved from

IssueMakersLab. (2020, February 27). North Korea’s BabyShark malware has been found in the form of document on South Korea’s response to COVID-19. Retrieved from

Glyer, C. (2020, March 25). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved from

Capitalizing on Coronavirus Panic, Threat Actors Target Victims Worldwide. (2020, March 12). Retrieved from

Cimpanu, C. (2020, March 9). Spying concerns raised over Iran’s official COVID-19 detection app. Retrieved from

Staying safe during COVID-19: what you need to know. (2020, April 3). Retrieved from

Tips for cybersecurity when working from home. (2020, March 24). Retrieved from

INTERPOL issues international guidelines to support law enforcement response to COVID-19. (n.d.). Retrieved from

Menn, J. (2020, March 26). Cybersecurity experts come together to fight coronavirus-related hacking. Retrieved from

Cybersecurity in the Time of COVID-19. (n.d.). Retrieved from

The CyberWire Staff, (2020, March 25). The CyberWire Daily Briefing, 3.25.20. Retrieved from

Margot Ossola is a Master’s student in International Affairs at the Hertie School. She is fascinated by cyber security and state-sponsored hacking.

Why you should pay attention to our analysis

There are several reasons why our analysis should not be dismissed as “just student talk.” While it is true that we are students, we think this is only one reason why our analyses can add some value to the general discussion of current issues.

Our perspective as students of international security in Germany gives us insights into current trends in research. This insight into new developments and concepts lets us question traditional explanations of old and new issues. This “new spirit” and openness towards creative approaches is worth paying attention to.

We are all studying in Berlin and we are also a group of students with diverse backgrounds. From Central Asia to Northern America, from the Middle East to Subsahara Africa – we have experienced different circumstances and been confronted with a diversity of challenges. This diversity in background, which is often missing in the  security debate, is  another reason why reading our analyses are insightful.

International Security is still too often dominated by men and not reflective of the diversity of actors impacted by international security. It is important to us to challenge this status quo by acknowledging the importance of gender-balance in international security.