Know Your Enemy: Nation-State Threat Actors – Part 1

Attacks by Nation-State threat actors, which can be seen as a group of individuals employed by or sponsored by a government to carry out cyber espionage or cyberwar, are unlike the typical malware-driven attacks individuals perceive as a cyberattack. Antivirus vendors will spend time developing signatures for detecting malware and subsequent variants. This means that the malware can be detected and remediated. Nation-state groups operate differently.

Basic Tactical Overview

Rather than rely on malware that can be readily bought on the dark web nation-state groups, who are typically far better funded and more skilled than the majority of hackers, employ several other tactics making them far harder to combat. Due to resources and experience that will develop custom tools for exploiting vulnerabilities found in both hardware and software. These are applied in a highly targeted manner making it incredibly difficult for antivirus vendors to develop malware signatures to detect activity.

Further, many groups place emphasis on stealth as they want to be present on the victim’s network for extended periods of time. This is done to steal vast amounts of data over extended periods. This serves aims of cyberespionage on both corporate, government, and military targets. Persistence on the network can be achieved in several ways such as booting custom malware tools from memory to spending a lot of time simply analyzing the network. Analysis typically involves discovering who has privileged access and user patterns in accessing data on the network.

The brief summary of tactics and techniques above is painted with a large brush and groups from different nations have different objectives be it cyberespionage, cyberwar, spreading propaganda, or impacting democratic processes in rival states. It is wise then to look at the globe’s major players regarding nation-state attacks and see how they have operated in the past. Those players are China, Iran, North Korea, Russia, and the United States. Take note that each country is dealt with in alphabetically order and not a perceived order of severity.

China

In the late 1970s, the Chinese People’s Liberation Army established departments specializing in cyber warfare. Making the country one of the first to see the potential in opening a digital front to warfare. 

Cyber Espionage Shift

Titan Rain

Target: Lockheed Martin Corporation

Motivation: Espionage

Outcome: The attack significantly increased the rollout of advanced Chinese fighter aircraft

Summary:

By the early 2000s, the focus of operations titled strongly towards cyber espionage. By 2004, US and UK authorities had discovered a vast operation geared towards stealing data pertaining to aircraft in development by the Lockheed Martin Corporation. The operation was dubbed Titan Rain, and to date, no arrests by US officials have been made. The data stolen is believed to have contributed to China’s fast development of stealth and state-of-the-art fighter aircraft.

Operation Aurora

Target: Google and twenty other large companies in the tech sphere

Motivation: Identify Chinese intelligence operatives in the US that may be under investigation by US authorities.

Outcome: The cyberattack and stricter government regulations by the CCP drove Google out of China

Summary:

When news initially broke regarding Operation Aurora, Google believed that the “a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists.” Later analysis showed that the attackers were after information pertaining to Chinese operatives who may have been under investigation at the time. It is believed that Aurora operatives gained access to Google accounts that had access to data containing US court-ordered wiretaps.

Since then groups associated with branches of the People’s Liberation Army have conducted several successful espionage campaigns. By 2015, tensions between the US and China resulted in the countries declaring somewhat of a cease-fire regarding cyber operations following several incidents. However, in 2017 as soon as President Obama was replaced by President Trump and a further souring of relations between the world’s two largest economies, a trade war was declared and cyber operations continued.

Microsoft Exchange Server Attacks

Target: Thousands of Microsoft Exchange Servers

Motivation: Espionage

Outcome: The attack would have compromised the data of private and government organizations across the globe, resulting in a mass information haul

Summary:

This year, Microsoft accused Chinese nation-state threat actors of hacking the Redmond tech giant’s popular Exchange Server application. The group responsible was determined to HAFNIUM with Microsoft security researchers noting,

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.”

The data transferred between these servers could be vital to any future operations or technology projects. This is especially true when one considers that many Fortune 500 companies, military contractors, and US government departments make use of the Exchange Server product to enable communications between staff, clients, and other third parties. With President Biden’s ascension to office relations between the US and China have not improved in any discernible way. It does not take a crystal ball to know that it is only a matter of time until another incident makes international news headlines.

Not Just One Trick

Cyber espionage is not the only focus of Chinese nation-state groups. Some are dedicated to the promotion of Chinese interests abroad through the use of propaganda tactics. Individuals backed by the ruling Chinese Communist Party (CCP), act as trolls on social media platforms either spreading Chinese propaganda or false information intended to promote Chinese interests and impact rival nations’ interests.

Collectively the trolls have become known as the Fifty Cents Party and are believed to have pumped out nearly 500 million social media posts. The Center of Foreign Relations has stated,

“What’s more, the CCP has created a command structure to manage its millions of full- and part-time trolls. Cyberspace Affairs Commissions and Propaganda Departments retain ultimate authority over the country’s internet ecology, but they call upon “squadrons,” “brigades,” and “detachments” of volunteers at colleges and universities to keep tabs on day-to-day activities in each locality. This dual-track system of professionalized and grassroots internet commentators enables the CCP to tap into the organic nationalism of some young Chinese netizens while granting paid censors visibility and authority over content posted to social media platforms.”

And,

“Second, China’s trolls don’t need to meddle on foreign networks to deal damage abroad. During its first decade in operation, China’s “Fifty Cent Army” primarily stuck to shaping public perception of domestic Chinese social and political issues. Chinese social media platforms remain their primary stomping grounds. But in the past five years, the CCP has started leaning on its army of trolls to launch harassment campaigns against overseas researchers and consumer boycotts against foreign firms doing business in China.”

It is clear that the cyber threat posed by Chinese nation-state groups be they linked and funded by the People’s Liberation Army or organized and maintained by the CCP is one that cannot be underestimated. In Part two of this series, we will look at how Iran conducts cyber operations within a historical analysis.

Comments are closed.