NATO Experiments with Deception Techniques to Counter Russian Hackers

During cyber exercises held in Estonia from November 16 to 20, NATO specialists practiced catching government-sponsored hackers using specially designed traps. The exercises, coordinated by the Estonian Ministry of Defense’s Cybersecurity Training Center, involved 1,000 participants. While previous drills focused on simulating hybrid warfare methods, this year’s event centered on using hacker traps—honeypots and honeynets.

How the Trap Works

The trap operates as follows: when a “Russian hacker” attempts to infiltrate the protected network of a NATO member government, the attacker first identifies a target—someone whose credentials can be stolen to gain access to the network and move from host to host, collecting valuable information. The victim then receives a phishing email containing a malicious link. When the victim clicks the link, the hacker gains access to the network.

However, the information stolen by the attacker is actually worthless and was intentionally made available for theft. After the hacker has entered the “network,” researchers can study the attacker’s tools and tactics. The hacker remains unaware that they have taken the bait and are, in fact, being observed and analyzed by NATO specialists.

Gathering Intelligence on Hackers

According to Alberto Domingo, Technical Director for Cyberspace at NATO’s Allied Command Transformation, this approach allows experts to gather as much information as possible about their adversaries. In particular, they can determine who the attacker is, what their capabilities are, what goals they are pursuing, and what actions they might take next.

Honeypots: From Private Researchers to Governments

While the use of honeypots by private security researchers is nothing new, governments have only recently begun to adopt these techniques. It remains unclear whether NATO uses honeypots solely in training exercises or also in real-world scenarios.