Analytics // Security Monitoring
1/8/2015
10:30 AM
Mike Walls
Mike Walls
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Nation-State Cyberthreats: Why They Hack

All nations are not created equal and, like individual hackers, each has a different motivation and capability.

This is the first in a series exploring the motivations that drive nation-states to participate in nefarious cyber activity. 

We know that hackers hack for a variety of reasons. Some hack because they are greedy or have criminal motives. Some hack to satisfy their egos or gain peer recognition. Some hack alone, and some hack in groups. But many hackers, or more accurately “hacktivists,” join groups like Anonymous in order to demonstrate their dissatisfaction with powerful organizations such as corporations and governments who fail to share their world views.

These hackers don’t consider themselves to be bad actors. They see their activity in a positive light, viewing themselves as contributing to a greater body of knowledge, or furthering a good cause, and often hacking without a clear vision of the second- and third-order effects of their actions.

Another category of hacker supports nation-state strategy by operating in the cyberdomain. These hackers are difficult to categorize, since they may be directly employed by an arm of a national government, the Chinese PLA for example. Or they may be form organized crime entity employed by a national government. Think recent hacks against JP Morgan Chase, attributed to an undefined group in Russia. Understanding the motivation of hackers and the organizations with whom they are associated is essential to understanding their tactics. Knowing one’s enemy is a fundamental concept in kinetic warfare and is equally important, albeit more difficult, in the cyber environment.

Find out more about nation-state cyber espionage in The New Target For State-Sponsored Cyber Attacks: Applications.

I think it is valuable to explore nation-state and nation-state-sponsored hackers because they are generally resourced the best, and their collective motivations run across the spectrum. Because nation-state-supported hackers are funded extremely well relative to small groups and individuals, they can be particularly formidable adversaries for other countries and for commercial industry, regardless of vertical. In short, nefarious nation-state-sponsored cyber activity can have devastating effects on a country’s national security and its economy.

All nation-states are not created equal, and like individual hackers, each has a different motivation and level of cyber capability. As we look at the cyber terrain from a global perspective, we see several countries that surface in the media most often: China, North Korea, Russia, Iran, Israel, and the US.

Leading the Eastern Pacific: China
If you read the daily news you can usually find a story related to China conducting some form cyber exploitation -- often against the United States. There are a number of tangible examples of intellectual property (IP) owned by someone in the US making its way to China. Cleared defense contractors supporting the US Department of Defense have been ideal cybertargets for the Chinese government to exploit. It’s important to understand that the Chinese don't limit targets to the US Military or government. Indeed, every sector of the economy is at risk. So it’s worthwhile to understand why the Chinese government seemingly operates on the wire with little regard for the ethical implications of its actions.

There are two overarching reasons why the Chinese have the dubious distinction of being global leaders in cyber espionage. First, the government is trying to establish a regional hegemon in the Eastern Pacific. Second, the Chinese government has been bitten by the capitalism bug, and realizes that to be a true global economic power it needs to be an innovation leader -- solely being a mass producer isn’t enough.

Following World War II, the US established itself as one of two global superpowers, and arguably the only superpower in the Pacific region. At the same time China, after resolving its civil war, which had been raging prior to World War II, was firmly established as the second major Communist country in the world, along with USSR. Like USSR, China developed an acute mistrust of Western democracy, and of Western capitalism in particular. In reality, the mistrust already existed during the colonial period in the 19th century and the early part of the 20th Century.

Communist philosophy elevated the mistrust to a much more significant level. If we connect the dots, we see China, a Communist government with an innately paranoid view of the rest of the world, squaring off against the symbol of democracy and capitalism in what the Chinese perceive as its own backyard. So over the past 60 years, China has been trying to establish itself as the regional power by trying to catch up to the US, militarily and technologically. The Internet has made it infinitely more convenient for the country to close the technological gap with the U.S. military.

US military F-35 fighter jet compared to a similar Chinese government aircraft.
(Source: Mike Walls)
US military F-35 fighter jet compared to a similar Chinese government aircraft.
(Source: Mike Walls)

Now let’s talk about innovation
In spite of the obvious ethical implications of stealing intellectual property, the Chinese government is comfortable with pilfering intellectual property for the greater good of its society and economy. China has the unenviable task of providing healthcare to over 1.4 billion citizens. Facing this challenge, the government is forced to turn to technology in order to reduce the burden on its healthcare system. It is no surprise that China looks to the West for technology solutions, and as the recognized leader in medical technology innovation, the US is a primary target. Between 2013 and 2014, Chinese hackers targeted 18 companies, forcing the healthcare sector to invest an additional $160M in security for medical and pharmaceutical companies. Interestingly, this apparent surge in healthcare cyber exploitation events coincides with Chinese government investment in healthcare and with the subsequent boom in the Chinese healthcare sector.

From a broader perspective, we know that the Chinese government is the driving force behind the country’s impressive economic growth over the past 30 years. Since 1978, following the shift to a market-based economy, albeit still under Communist Party control, China has averaged about 10% GDP growth per year. To feed the engine of economic growth, China recognized the need to ramp up its ability to innovate. To meet that demand, the China has demonstrated a willingness to close the innovation gap with peer competitors by stealing intellectual property, as demonstrated by the indictment of five Chinese nationals last year for conducting cyber espionage against prominent US companies representing the energy and utility, services, and technology sectors.

More on this topic:

 

Mike Walls is the Managing Director of Security Operations at EdgeWave. During his time as a captain with the US Navy, he was commander of Task Force 1030 and was directly responsible for the cyberreadiness of more than 300 ships, 4,000 aircraft, and 400,000 Navy personnel. ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/26/2015 | 9:25:03 AM
Re: Why the Hack Not?
Good points,@andregironda. If you haven't already, I hope you will take a few minutes to check out and comment on Mike's follow up blogs on why Russia and North Korea hack. Coming up next is Iran, then US & Israel. So stay tuned! 
andregironda
50%
50%
andregironda,
User Rank: Strategist
1/26/2015 | 8:49:29 AM
Re: Why the Hack Not?
It is really simple to gauge the intentions of each country leading to cyber indications, based on a sort of personality test.

While the sociocultural theories are still under massive development, starter frameworks such as Hofstede's cultural dimensions theory should be used to explain the intracacies behind what is going on with cyber.

For China, it is merely about the feeling of overpopulation and raising the standard of living. They feel that breaking the rules is ok because of a sort of motherbearing complex.

Iran is surrounded by great countries of power: Oman and Qatar with huge financial success, Saudi Arabia with their GDP, UAE with their flexibility and popularity, and Iran's local enemy, Israel, with their advanced weapons research. So they build a brotherhood with Lebanon, Syria, Iraq, and the Caucasus.

Russia wants to take all. They want land and resources especially. There is a narcissism to this country that can't be staved.

North Korea has nothing to lose and everything to gain. There is always power in powerlessness and it comes out in cyber.

Part of the problem we have in the US is that we see things only from our perspective. There are many other players, but they may be sided with popular interests. For example, Taiwan -- an enemy of China or not? How do Europe and Russia relate? What of Central, South America, and the Carribean? Africa? You will see all of these in the foreign-relations-related media but rarely ever spoken of in terms of cyber capabilities or interests.
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/16/2015 | 12:26:18 PM
Re: Why the Hack Not?
Great points!  We agree that an understanding of motivation for malicious cyber activity provides insight into what hapopens after a successful attack.  We also agree that it is criitical that we defend against bad actors obtaining credentials.  I think we would also agree that both these points support the notion that we need a more holistic approach to cyber defense.  To truly understand how to defend, we need the complete or "Big" picture.  A little offensive cyber would also help...but we'll have to leave that to the Government.

Again, great points, Thanks!!!
ernesthemmingway
50%
50%
ernesthemmingway,
User Rank: Apprentice
1/14/2015 | 3:10:17 PM
Re: Why the Hack Not?
Excellent article. Understanding the motives and expectations of an adversary is extremely critical to designing a response. As noted, 'ethics', are relative to cultures and are varied depending on your world view. China, Russia and Iran for example have significantly different histories, cultures and world views. Each would likely have diverse agendas for attacking your enterprise, which makes our job quite interesting.

What I might suggest is that while the adversaries are diverse, their means of attack do have a common thread- acquiring credentials from the target in some fashion. Regardless of their goals, our opponents need credentials. Their motivations and capabilities to me mainly become critical post credential compromise... what will they do with those credentials and why?

Doing all we can to make those credentials expensive to obtain seems to be the best solution at this point. I am hopeful that behavior analytics will mature to the extent we can identify anomolous activity to become aware of when the credentials have been compromised. For some highly sensitive accounts this can today be acheived to some degree, however for the most part, most identities are very difficult to recognize as compromised when in the hands of a skilled attacker.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/14/2015 | 2:35:11 PM
Re: Why the Hack Not?
Yes , and, to me, the value of this series, is to better understand the context for various  nation-state actors in the  actions they choose to take. Thanks for enlightening us!
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/14/2015 | 2:15:40 PM
Re: Why the Hack Not?
Thanks Marilyn.  Your statement about China not having "any ethical problem with stealing intellecctual property to further its aims" really captures the point...Nations will act according to what they see as in their own best interest.
mwallsedgewave
50%
50%
mwallsedgewave,
User Rank: Author
1/14/2015 | 2:01:17 PM
Re: Why the Hack Not?
I think Nations/governments "do things" for a number of reasons, but usually they are acting out of what they see as their "National Interests."  A question is whether they are justifiable, or "just" "National Interestes."
David Wagner
50%
50%
David Wagner,
User Rank: Black Belt
1/13/2015 | 12:21:58 PM
Re: Why the Hack Not?
@Marilyn- Well, I find the article interesting, but I don't think the targets of hacking are the "whys" of hacking. If it wasn't medical technology it would be mining or anything else. Evne if the only thing left to take was vacation pictures, a government would take them. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/13/2015 | 12:17:48 PM
Re: Why the Hack Not?
Have to respectfully disagree with you @Dave. I think it's fascinating to learn, for instance, that China looks to the West for technology solutions, and doesn't have any ethical problem with stealing intellecctual property to further its aims. I also had no idea that the Chinese were focused on medical technology innovation and that they are invnesting in that sector of their own economy. Looking forward to reading about what's going on in North Korea, Russia and others in the series. 

 

 
David Wagner
50%
50%
David Wagner,
User Rank: Black Belt
1/8/2015 | 11:17:33 AM
Why the Hack Not?
I guess my answer to the question of why countries hack is the same as why countries do anything-- governments tend to do whatever they can get away with unchecked. Until someone checks them, governments will do it. Sure, knowing the reason behind the espionage helps defend against it. But "because we can" is always the best reason. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.