It’s not just governments that are feeling the disastrous effects of state-sponsored cyber warfare and crime. Recent leaks and discoveries have revealed the existence of, and details about several government hacking organizations around the world. While many of them target governments for intelligence collection, we are starting to see more activity directed towards business. In fact, the private sector is every bit at risk. As recent attacks have shown, you don’t have to be the size of Sony -- or even mock North Korea -- to be a target.
Chinese cyber operations have typically been economically driven, often with a pure profit motive. Several top technology, aerospace, and defense companies have been breached by Chinese state-sponsored hackers, often in what appears to be an effort to steal intellectual property and identities. China’s approach follows the same guiding philosophy the Chinese Army uses: throw as many people at the problem as possible, regardless of talent or training, and eventually you’re bound to get something. These groups include Deep Panda, Putter Panda/PLA Unit 61398, Hidden Lynx, APT1/Comment Crew, Axiom, and many more.
Russian cyber operations enjoy a unique distinction from the other groups because they are more broadly used to collect intelligence, and like Chinese hackers are also involved in profit-motivated cyber crime. The Russians also have a history of aggressive offensive operations such as the Estonian cyber attacks of 2007 that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters, amid the country's disagreement with Russia about the relocation of a statue, and more recent cyber attacks directed at Poland.
Unlike Chinese counterparts, Russian hackers also like to spread ideological influence, a discipline known as “Information Operations” within the intelligence community. This includes “troll farms” staffed with hundreds whose job is to spread ideas and cause the appearance of consensus across online forums and social media. Russian state-sponsored cyber efforts are also unique in that they are known to provide training and mercenary-style hacker-for-hire services to other countries -- possibly even North Korea’s Bureau 121 and Iran’s IRGC.
Some notorious non-state actors have been working hard to reach levels of sophistication similar to these state-sponsored groups. There have been many reports of mysteriously unattributed and extremely sophisticated hacker recruiting drives across the deep web. Meanwhile state-like organizations such as ISIS have been actively and openly recruiting hackers. To date, ISIS’s “Cyber Caliphate” has not exhibited this level of sophistication, but it’s probably just a matter of time until we start seeing stateless organizations reaching the same level of sophistication as state actors.
Not a theoretical threat
I recently discovered an unidentified Chinese APT group that breached a mid-sized multinational company. The breach was initially suspected when some employees found copies of their own internal documents online, and an investigation began.
The breach was accomplished via a spear-phishing attack targeting a secretary within the company. Clicking a link ultimately installed custom malware on the workstation, which allowed the APT group to use it as a pivot point from which they launched other attacks. Subsequently, they took control of almost every server and workstation within the company. From there, they began slowly exfiltrating sensitive data off their file servers, just a few small packets at a time, all encrypted.
It’s worth noting that this went completely undetected for months. The breach was finally confirmed through the use of a security audit that made use of adaptive behavioral analysis and threat intelligence combined with traditional vulnerability assessment methodologies.
State-sponsored attacks often demonstrate remarkable complexity. Fortunately, these attacks are detectable and preventable. Business must make use of layered defenses comprised of human-monitored intrusion detection with behavioral analysis integrated with routine security testing, predictive threat intelligence, and education in order to stay secure.