Ömer Faruk YAKUT*
The “Invisible Armies” that emerged as a result of technological developments in the 21st century have ushered in a new era in espionage activities. Achievements that could not be obtained for many years using traditional espionage methods have been achieved in a very short time in the cyber world thanks to the capabilities of invisible armies. So, will invisible armies, which we can describe as the brightest minds of states, lose their importance in the future, or will they continue to exist on new fronts?
Technological developments in the cyber age have created a different arena of competition in inter-state relations. Undoubtedly, intelligence gathering is at the forefront of this competition. Today, the replacement of traditional intelligence methods with cyber espionage operations has made cyber espionage activities one of the most important security issues of the 21st century. As a result, states have created invisible armies that target rival countries and infiltrate critical systems to gather information in order to achieve their objectives. In this context, this article will examine the historical development, structure, and organization of invisible armies, which are not physically present in the field, operate anonymously, and have the ability to carry out operations that transcend borders when necessary.
The Historical Development of Cyber Espionage Activities
Cyber espionage activity is defined, in its simplest form, as the digital equivalent of traditional espionage activities. However, cyber espionage activity differs significantly from traditional espionage in terms of method, preparation, and implementation. During the Cold War, information gathered through traditional espionage methods was used to gain political and economic advantages over rival states. Again during this period, since the advanced surveillance tools used today did not exist, many of these activities were carried out through physical spies, listening devices, and satellite imagery. The lack of high-tech cyber espionage capabilities among states placed a great responsibility on spies attempting to infiltrate enemy territory to gather information. Today, thanks to digital technologies and expanding internet infrastructure, states can access vast amounts of data from their keyboards without sending agents to rival countries. This transformation has not only changed intelligence gathering methods, but has also forced changes in the balance of power between states, diplomatic relations, and national security strategies.
The Transition from Traditional Espionage to Cyber Espionage
Throughout history, states seeking to maintain their existence and power have placed great importance on intelligence activities, believing in the power of intelligence gathering. The Amarna Letters and the reliefs on the walls of the Medinet Habu Temple are important sources containing evidence that pharaohs constantly received information about the movements of enemy tribes. The individuals mentioned in these sources were generally assigned as spies disguised as merchants, envoys, or soldiers. Looking at more recent history, during the Cold War, spies carried out information gathering activities in rival countries using the methods of “Human Intelligence” and “Signals Intelligence.” By the 1990s, with the widespread adoption of the internet, intelligence gathering methods began to undergo a fundamental transformation.
In the early days, states used different methods and tools to gather intelligence from open-source data by monitoring rival countries’ emails. Later on, they engaged in more advanced activities, such as gaining access to rival states’ websites. Since the early 2000s, these activities have given way to more complex and organized attacks. The “Distributed Denial of Service (DDoS)” attack against Estonia in 2007 was one of the first examples showing that cyber attacks could be used as a weapon at the state level. As a result of this attack, Estonia’s banking system, media organizations, and government websites were damaged and out of service for weeks. The cyber attacks against Georgia in 2008 were carried out in coordination with military operations. This development is considered an important milestone that clearly demonstrates that cyber warfare is part of hybrid warfare strategies.
Characteristics of Cyber Espionage Operations
Cyber espionage activities differ from traditional intelligence activities in important ways. The most important difference in cyber espionage activities is that they allow physical boundaries to be eliminated. Indeed, a cyber spy does not need to be physically present in the target country. Cyber spies can access target country systems by conducting their operational activities remotely.
The second important feature is scalability. Scalability refers to the ability to monitor hundreds or thousands of targets simultaneously in cyber espionage operations. Cyber spies can collect large amounts of data by continuously scanning target networks with their automated systems and exploiting existing vulnerabilities. This feature makes cyber espionage extremely cost-effective.
The third characteristic is the difficulty of detection. Cyber spies have the advantage of being able to easily conceal their presence using proxy servers, anonymous networks, and stolen credentials. This feature, which makes cyber espionage activities complex and untraceable, is called the “attribution problem.” This feature makes it very difficult to prove the relationship between the perpetrator and the instigator of the attack.
The fourth feature is persistence and stealth. The degree of perfection of a cyber espionage operation is directly proportional to its ability to remain undetected in the target system for months or years. After infiltrating target networks, “Advanced Persistent Threat” (APT) groups tend to move within the network and maintain long-term access, in addition to systematically collecting data. These groups operate by keeping a low profile to reduce the risk of detection. They also conduct their espionage activities by extracting limited amounts of data to avoid drawing attention during data transfer processes.
The Organizational Structure and Global Distribution of Cyber Units
It is known that invisible armies conducting cyber espionage activities for states, either officially or unofficially, sometimes operate within a country’s military intelligence organization, sometimes within national security agencies, and sometimes within special cyber commands. The United States Cyber Command (USCYBERCOM) was established in 2009 and has since expanded its scope to become a significant structure. The Chinese People’s Liberation Army established the “Strategic Support Force” in 2015. This unit is responsible for coordinating cyber operations as well as electronic warfare and space operations. Groups such as APT1, APT10, and APT41, which are believed to be linked to the Chinese state, are cyber espionage groups that conduct global operations and have the capability to gather both military and economic intelligence. The Russian Federation conducts cyber operations through various agencies. The Main Intelligence Directorate (Glavnoye Razvedyvatel’noye Upravleniye – GRU) and the Federal Security Service (Federal’naya Sluzhba Bezopasnosti – FSB) play significant roles in Russia’s cyber operations. Groups such as Fancy Bear (APT28) and Cozy Bear (APT29), believed to be linked to the Russian state, are among the key actors carrying out sophisticated attacks against critical targets. Countries such as Iran, Israel, North Korea, the United Kingdom, France, and Germany also possess significant cyber operations capabilities. Israel’s Unit 8200, in particular, is considered one of the world’s most advanced cyber intelligence units. This diversity is the most important indicator that the cyber world has become a global arena of competition.
Personnel Structure and Competency Profile of Invisible Armies
Invisible armies are divided into several sub-specialties. These include personnel with different specializations such as cybersecurity experts, software developers, reverse engineering experts, cryptography experts, network architects, social engineering experts, and legal advisors. A significant portion of this personnel is transferred from the civilian sector, while the rest is trained through special education programs. It is critically important for those serving in cyber operations units to possess strategic thinking, operational planning, and risk assessment skills in addition to technical skills.
Technological Tools and Dimensions of Digital Intelligence Warfare
Malicious software used in cyber espionage operations is designed to be much more complex than traditional viruses. Discovered in 2010 and targeting Iran’s nuclear program, Stuxnet targeted industrial control systems (Supervisory Control and Data Acquisition – SCADA) and went down in history as the first cyber weapon to sabotage the operation of uranium enrichment centrifuges. Stuxnet is significant as it was the first cyber weapon to demonstrate the potential destructiveness of cyber warfare and cause real damage in the physical world.
Discovered in 2012, Flame is an advanced spyware program developed to target locations in the Middle East. Focused on information theft, Flame possesses numerous critical espionage capabilities, including keystroke logging, screen capture, file system scanning, network traffic monitoring, audio recording, and data collection from nearby devices via Bluetooth. Similarly, Pegasus, developed by the Israeli NSO Group, is a highly advanced mobile spyware that can be secretly installed on target devices. Pegasus is known for its ability to access features such as the microphone, calls, messaging, call logs, and camera on target devices and collect data from them.
Beyond information gathering and service disruption activities, in September 2024, mass explosions in portable call devices/pagers/walkie-talkie-like devices in Lebanon and Syria received extensive coverage in the global press. Although no definitive conclusion has been reached regarding the manner in which the incident occurred and its perpetrators, two scenarios have come to the fore regarding how this attack may have been carried out. The first possibility is that the explosion may have been caused by malware infecting the devices, forcing the battery to overheat. The second possibility is a supply chain attack or the possibility that explosive material was secretly placed in the devices during the shipping process. The first scenario demonstrates that cyberattacks have the potential to directly cause death and injury. The mere existence of this possibility provides a frightening indication that invisible armies may not be limited to information gathering and service disruption, but may also have the capacity to cause physical damage and destruction.
Independent Hacker Groups and Cyber Mercenaries
In addition to the existence of state-sponsored invisible armies, some non-state entities can also target states by forming their own cyber armies with ideological or political motivations. Groups such as Killnet, Anonymous, or Lizard Squad are prominent examples among these entities. Some of the actions of these groups have led to the emergence of the concept of cyber activism (Hacktivism). However, one of the most dangerous elements of cyber warfare is mercenary hacker groups. These groups offer cyber attack services in exchange for a specific fee. The “Ransomware-as-a-Service” model is one of the important examples of these elements offering paid attack services. Some states may engage in covert collaboration with these armies to conceal the traces of their attacks. Therefore, cyber attacks carried out by such formations with state support are considered independent criminal activities rather than state actions. This situation is an important factor that complicates cyber espionage activities.
Future Cybersecurity Concerns and Potential Threats
Artificial intelligence (AI) and machine learning technologies are significant technological developments that are fundamentally changing cyber espionage activities. Artificial intelligence systems are used on the attack side for automatic discovery, vulnerability detection, and bypassing defense mechanisms; on the defense side, they are used for detecting abnormal behavior, threat identification, and automatic response. The proliferation of Internet of Things (IoT) devices presents new opportunities for cyber espionage. It is now possible to say that billions of devices, such as smart home systems, wearable technologies, industrial sensors, and medical equipment, are connected to the internet, creating a massive target surface. Moreover, the comfort and cost-focused production approach in the design phase of these devices makes them potential targets.
Another future cybersecurity concern is undoubtedly the issue of post-quantum cybersecurity. The fact that increasingly powerful quantum computers will render existing asymmetric encryption algorithms useless poses the greatest threat to current secure communication systems, digital signatures, and encryption infrastructure. Governments and research institutions are working intensively to develop post-quantum cryptography algorithms. However, as this transition process will be complex and lengthy, it is predicted that some governments will collect currently encrypted data with the aim of decrypting it in the future. This strategy is called “harvest now, decrypt later.” It is certain that this data, which is currently being collected and is often seen as unproblematic to collect because it is encrypted, will become a significant weapon that could be used against governments and institutions in the future.
Cyberspace and Hybrid Warfare Strategies
The hybrid warfare model is a multidimensional approach combining military warfare, cyber operations, economic and political pressure. Within this framework, cyber espionage supports and strengthens military operations, economic sanctions, and political pressure campaigns, thereby increasing the effectiveness of hybrid strategies. Allegations of interference in the 2016 United States presidential election serve as an important example of how cyber operations can influence democratic processes. Cyber espionage operations targeting political parties, the strategic leaking of obtained information, and smear campaigns conducted via social media have been assessed as attempts to manipulate the election process. These effects are a significant event that clearly demonstrates the importance of invisible armies in hybrid warfare strategy.
Future Perspective and Strategic Forecasts
As constantly evolving technology creates new opportunities and threats, the scope and capabilities of cyber espionage activities are expected to increase in the coming years. The implementation of 5G technology will increase speed and capacity on the one hand, but will also lead to an expansion of the attack surface on the other. In addition to this, high speed and bandwidth are expected to contribute significantly to real-time cyber operations.
Artificial Intelligence, Quantum Computing, and 5G are significant technological advancements that will proportionally increase the capacity of cyber espionage activities. These developments will inevitably lead to an increase in the number of cyber attacks targeting satellite communications, navigation, and space-based systems, which are of strategic importance to states. Such a situation has the potential to create serious security and stability risks on a global scale. Therefore, developing new security protocols and protection mechanisms to safeguard space systems is no longer an option but a necessity.
The shortage of qualified human resources in the field of cybersecurity is expected to grow even more in the coming years. Although governments and private sector companies currently organize training programs to train cybersecurity experts, demand exceeds supply. This situation is an important issue that must be addressed in proportion to the increase in attacks in the future.
The new security architecture of the 21st century will develop based on the capacity to manage the opportunities and threats presented by the cyber domain in a balanced manner. Therefore, effectively combating the threat of cyber espionage is an issue of utmost importance for the security of both states and individuals. “Invisible armies” will continue to attack and exploit, both for the national interests of the states they serve and for individual interests targeting individuals independently of this. Undoubtedly, states that anticipate this situation and, on the one hand, develop security measures compatible with technological developments and, on the other hand, train qualified human resources capable of responding to cyber espionage activities will always be one step ahead in the cyber warfare arena.
*Cybersecurity and Forensic Computing Expert
Source: stratejiturkiye.com
