A primer on cyber espionage across the planet

Byron Acohido 25 Jul 2019

State-backed cyber spying is pervasive – and its impact on geo-political affairs is deepening

Cyber espionage turned a corner this spring when Israeli fighter jets eradicated a building in the Gaza Strip believed to house Hamas cyber operatives carrying out attacks on Israel’s digital systems.

That May 10th  air strike by the Israel Defense Force marked the first use of military force in direct retaliation for cyber spying. This development underscores that we’re in the midst of a new age of cyber espionage.

This comes as no surprise to anyone in the military or intelligence communities. State-sponsored cyber operations have been an integral part of global affairs for decades. And, in fact, cyber ops tradecraft has advanced in sophistication in lock step with our deepening reliance on the commercial Internet.

Here are a few things everyone should know about the current state of government-backed cyber ops.

Russia’s tradecraft

A lot of dots have been connected recently with respect to Russia’s cyber spying, initially thanks to Barack Obama’s leveling of sanctions on Russia for interfering in the 2016 U.S. presidential elections. Among more than two dozen Russians named as co-conspirators by the Obama sanctions were a pair of notorious cyber robbers, Evgeniy Bogachev of Russia and Alexsey Belan of Latvia. 

At the time, both were well-known to the FBI as profit-motivated cyber thieves of the highest skill level. Bogachev led a band of criminals that used the Gamover Zeus banking Trojan to steal more than $100 million from banks and businesses worldwide. Then somewhere along the way, Bogachev commenced moonlighting as a cyber spy for the Russian government.

The Obama sanctions helped security analysts and the FBI piece together how Bogachev, around 2010, began running unusual searches on well-placed PCs he controlled, via Gameover Zeus infections. Bogachev’s searches explicitly sought out intelligence of direct strategic benefit to Russia – just prior to Russia making adversarial moves in the Republic of Georgia, the Ukraine and Turkey, respectively. 

Meanwhile, details of Alexsey Belan’s Russian-backed escapades came to light in March 2017 when the FBI indicted Belan and three co-conspirators in connection with hacking Yahoo to pilfer more than 500 million email addresses and gain deep access to more than 30 million Yahoo accounts. 

The Obama sanctions ultimately linked both Bogachev and Belan to the hack of the Democratic National Committee and several other organizations at the center of the 2016 U.S. presidential elections. The pair were not the first private-sector cybercriminals recruited to serve as Russian assets, and very likely won’t be the last, said Bryson Bort, CEO of security company SCYTHE, a supplier of attack simulation systems.

“Russia explicitly recruits folks already engaged in criminal activities, and once recruited, they are contracted and connected to military organizations for direction and oversight,” Bort told me. “Those activities have criminal end-goals of corporate espionage and theft, but to be clear, they are government-directed.”

Both Bogachev and Belan remain on the FBI’s most wanted cybercriminals list: Bogachev with a $3 million bounty and Belan with a $100,000 bounty. The assumption is that they both reside in Russia under the protection of the Russian government. 

“We have not effectively deterred Russia, as a nation, from executing these operations,” Bort said. “So we can expect them to continue to recruit criminal hackers, grow their capabilities, and continue to use them.”

China’s tradecraft

It’s fully expected that Russia’s cyber spying will continue to revolve around spreading propaganda and influencing elections, as well as maneuvering for footholds, in critical infrastructure and financial systems, in order to put Russia into an improved position from which to manipulate global politics of the moment.

By contrast China takes a long view, as explicitly outlined in its Made in China 2025 manifesto. China has been taking methodical steps to transform itself from the source of low-end manufactured goods to the premier supplier of high-end products and services. It is no coincidence that a long series of Chinese cyber ops can be rationalized under China’s 2025 plan.

“China’s focus has been on the theft of data and intellectual property to advance national interests in key technologies,” Bort said. “It’s an open secret that this is in support of their Made in China 2025 plan.”

China has been stunningly successful plundering strategic U.S. targets, including: 

“Like Russia, China is targeting governments and critical infrastructure, however, they also have a focus on the intellectual property and personally identifiable information of everyone in the West,” said Jeremy Samide, CEO of Stealthcare, supplier of a threat intelligence platform that tracks and predicts attack patterns. “China is collecting and stealing as much information as they can to build a massive database on everyone and everything in order to see a detailed picture.

“China is collecting and stealing as much information as they can to build a massive database on everyone and everything in order to see a detailed picture.” –  Jeremy Samide, CEO of Stealthcare

“This includes government agencies, our clandestine operators around the world, as well as our allies,” he continued. “Massive amounts of data, intellectual property from companies, and personal data are stolen each year and the numbers are only getting higher.”

In pursuit of national interests 

The United States and the United Kingdom are in the top tier of cyber ops practitioners, as well, as might be expected. The western superpowers are widely known to possess state-of-the-art hacking and digital spying capabilities that they deploy on a daily basis in pursuit of their respective national interests.

Whenever there is a transfer of power, military tension, an act of terror, or a gathering of power brokers, malware spikes across the globe. These above-and-beyond hacking probes target organizations connected to the breaking news and in the flow of deeper intel. The U.S. and U.K. are, assuredly, in the thick of these cyber foraging spikes. 

It’s safe to assume that the U.S. also has hacked its way into position to carry out cyber ops counter measures against any attacking adversary, if and when that should become necessary. One glimpse at the sophistication level of this type of disruptive capability comes from Stuxnet, the self-spreading computer virus discovered spreading through Iranian nuclear plants in 2010. Stuxnet was discovered as it caused computers to shut down and reboot repeatedly. That was a glitch. Stuxnet was intended to spread silently and put its controllers in prime position to access industrial controls at an opportune moment.

Right behind the Big Four, North Korea, Iran, Israel, and France are known to maintain and proactively deploy cyber ops capabilities. Indeed, anyone in position to wheel and deal on the Dark Net, where cyber weapons and supporting services are readily available, can get into cyber espionage at any time. This includes small nations and terrorist cells.

“Almost every nation has a cyber intelligence/warfare capability,” Samide said. “Some nations are more advanced than others, some are more aggressive than others. A lot of state-sponsored activities correlate to fund-raising efforts and/or legacy campaigns that pursue mandates over an extended period of time.”

Case in point, in 2014 state-backed North Korean hackers took a break from hacking into banks to steal funds in order to carry out a devastating hack of Sony Pictures. The reason: to exact revenge for a movie mocking supreme leader Kim Jong-un. After stealing troves of data, the hackers destroyed Sony’s servers, then leaked embarrassing executive emails – a tactic subsequently imitated by the Russians in the 2016 elections.

Then in 2017, a self-spreading worm, dubbed WannaCry, raced around the world encrypting servers at hospitals, banks and transportation companies, then demanding a ransom, paid in Bitcoin, for a decryption key. WannaCry leveraged copies of cyber weapons stolen from the NSA. A few months after WannaCry’s release, the White House blamed the attack on North Korea.

Individual responsibility

Iran is another example of a nation-state playing the long game. Iran is believed to be behind a progressing series of hacks that began in 2012 targeting Saudi petrochemical plants. An attack in August 2017, for instance, sought to access industrial controls, and also to trigger an explosion.

Most recently, state-backed Vietnamese hackers were discovered by security vendor FireEye targeting automotive companies, in the hunt for intellectual property to buttress Vietnam’s fledgling vehicle manufacturing industry.  

What’s coming next?

Cyber ops have been incrementally escalating for at least the past two decades largely out of sight and out of mind for the average citizen. That said, two trends are converging in a way that suggests cyber spying and geo-politically motivated hacking are about to play out much more publicly, going forward.

Fresh attack vectors are springing out of mobile and cloud computing, and the Internet of Things. From a security standpoint, the rising prominence of mobile computing, the cloud and IoT translate into new tiers piled on top of an already vast threat landscape. And second, there’s been a burst of innovation with respect to botnets, the Swiss Army Knife of the top hacking collectives. Here’s what this adds up to, going forward. 

Expanding landscape

Russia, China, North Korea, and Iran continue to proactively support and direct professional hackers engaged in cyber espionage, data theft and network infiltrations; and the U.S., U.K, and Israel have engaged in these cyber ops as well, as I wrote about earlier. 

From a defensive perspective, the situation is not good. We’re plowing ahead with greater reliance on mobile devices and cloud computing as well as the rapid expansion of IoT systems – without comprehensively addressing the attendant security issues. So the threat landscape just keeps expanding.

To make matters worse, security flaws keep turning up in older systems deeply embedded in corporate networks. This represents even more virgin territory – and the latest example is a doozy. Microsoft was recently compelled to issue an emergency security patch for Windows XP and Windows 2003, ancient operating systems it deemed obsolete and had stopped actively supporting years ago.

The trouble is older Windows operating systems continue to be widely used in business networks. This latest vulnerability happens to be similar to the one that precipitated WannaCry, which infected more than 200,000 individuals and businesses in 150 countries. 

Simon Pope, Microsoft’s director of incident response, put this latest flaw in stark context in a blog post: “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware.” 

Prime targets

We know from Russian’s take down of Ukrainian power plants, Iran’s forays in Saudi Arabia’s industrial sector and the U.S.-Israeli  “Stuxnet’ attack on Iranian nuclear plants that industrial controls are prime targets for state-backed cyber ops. Stuxnet, too, was a worm that sought out older, unpatched Windows servers.

A seemingly intractable problem is that enterprises, especially industrial companies, are notoriously slow to implement security patches or replace older servers. After Microsoft issued this latest fix, security firm CyberX analyzed traffic from more than 850 production networks and found that 53% continue to use older, unsupported Windows servers. 

“Patching computers in industrial control networks is challenging because they often operate 24/7 controlling large-scale physical processes, like oil refining and electricity generation,” observes Phil Neray, CyberX’s vice president of industrial cybersecurity.

So will threat actors beat industry officials to the punch? Will the bad guys swiftly apply lessons learned from WannaCry and proceed to more profoundly exploit this latest deep flaw, before the good guys patch or upgrade?

Botnet proliferation

WannaCry, we now know, was created and set loose by North Koreans, primarily as a money-making gambit, which hackers backed by Kim Jong-un are known to focus on. In the two years since WannaCry, the tactics and tools used by elite hacking collectives have advanced considerably, especially when it comes to expanding their use of botnets.

Botnets are comprised of vast numbers of infected PCs, servers, and virtual computing nodules. Criminal rings use them to spread malware, infiltrate networks, release worms, steal data, and store stolen data. Security vendor Distill Network in its “Bad Bot Report 2019” outlines how “advanced persistent bots,” or APBs, are designed to carry out highly sophisticated activities. APBs can automatically cycle through tens of thousands of IP addresses, utilize countless anonymous proxies, switch identities on the fly, and do other fancy tricks to reinforce resiliency. 

Meanwhile, a recent report from Nokia identifies the hottest new source of bots: IoT devices, such as home routers, baby cams and office equipment. Some 78% of the malware traffic Nokia detected in 2018 came from botnets comprised of IoT devices, more than double the rate detected two years earlier in 2016. 

Granted, the source of much of this suspect IoT botnet traffic, Nokia says, today comes from researchers trying out proof-of-concept exploits. Yet it’s only a matter of time before IoT botnets get refined enough to help carry out sophisticated activities, of the type Distil has been tracking. It’s likely that state-backed efforts will move the ball forward.

We’re living in a time when geo-political controversies are flaring at a dizzying pace. This is all fueled by the gathering of intelligence and counterintelligence; by social engineering and propaganda; and by data theft and network disruptions. It’s an arms race like no other.

--> -->