Know Your Enemy: Nation-State Threat Actors – Part 3

In the last article of this series we looked at how Iran’s state-sponsored hacking activities evolved into the destructive force, it is today. However, Iran is not the only nation-state force in the region to be worried about. Many Arabic countries implement cyber war and cyber espionage to further their geopolitical goals but none are as savvy as Israel. A quick Google search of Israeli activities in this regard will often result in articles detailing Israel as the target, more often than not targeted by Iranian nation-state threat actors.

Whether as a result of being the target, or furthering its geopolitical agenda, likely a mixture of the two, Israel is no amateur when it comes to cyber war and cyber espionage. There are three events that will be focused on in this article that show Israel’s cyber capability is incredibly dangerous if you find yourself on the wrong side of it.

Stuxnet

Target: Iran’s Nuclear Weapons Program

Motivation: Cripple the target state’s ability to enrich Uranium

Outcome: The malware proved to the InfoSec community that hardware could be damaged beyond repair following an attack. It set a very dangerous precedent.

The Stuxnet incident forever changed what security researchers believed about how far states would push cyber operations. In a very real sense, it opened a Pandora’s Box that has defined the current reality nation-state groups operate. For industry veterans, the Stuxnet incident left deep scars in the InfoSec community that will be long remembered.

In June 2010, reports began to emerge that a new computer worm had been discovered. Shortly after the worm’s discovery, it mutated to attack programmable logic controllers (PLCs) used to automate machine processes and was spread through compromised USB sticks loaded with the malware. It would then go on to destroy centrifuges used by Iran’s nuclear program to enrich Uranium. One of the reasons why the incident received so much attention was because it was one of the first known instances of malware actively destroying hardware.

There was a lot of speculation at the time as to who was responsible. Fingers quickly began pointing at the US and Israel as any impact on Iran’s nuclear weapons program would benefit those two nations the most. It would later come to believe by the public at large that Stuxnet was created by U.S. National Security Agency, the CIA, and Israeli intelligence. This view would later be supported by several prominent experts.

Soon after Stuxnet made headlines copycat malware targeting PLCs began to emerge. Other examples of such malware include:

  • Duqu (2011). Based on Stuxnet code, Duqu was designed to log keystrokes and mine data from industrial facilities, presumably to launch a later attack.
  • Flame (2012). Flame, like Stuxnet, traveled via USB stick. The flame was sophisticated spyware that recorded Skype conversations, logged keystrokes, and gathered screenshots, among other activities. It targeted government and educational organizations and some private individuals mostly in Iran and other Middle Eastern countries.
  • Havex (2013). Havex intended to gather information from energy, aviation, defense, and pharmaceutical companies, among others. Havex malware targeted mainly U.S., European, and Canadian organizations.
  • Industroyer (2016). This targeted power facilities. It’s credited with causing a power outage in Ukraine in December 2016.
  • Triton (2017). This targeted the safety systems of a petrochemical plant in the Middle East, raising concerns about the malware maker’s intent to cause physical injury to workers.

Natanz Incident

Target: NatanzIranian Nuclear Enrichment Facility

Motivation: Hamper Iran’s nuclear program

Outcome: The attack set back Iranian nuclear ambitions whether for power or nuclear weapons back by years.

In April 2021 new reports began reporting that new centrifuges used by Iran for nuclear enrichment were forced to shut down only hours after going online. Iran was quick to blame Israel, given the country’s past successes in helping cripple Iran’s nuclear ambitions this was to be expected. However, unlike in past attacks where secrecy was seen as paramount Israel seemed to claim responsibility and placed no censorship rules on media looking to cover the incident. Israeli politicians would say that the attack was done to help guarantee the nation’s survival with Iran being one of the small nations perceived major threats.

If any script writer was looking for the sequel to Stuxnet, Israeli nation-state hackers had just provided it. The attack further illustrated how vulnerable Iran could be to attacks targeting PLC and other industrial control systems. It was not only Iran that was proved vulnerable but these systems in general were to malicious attacks. Not only were these systems proved vulnerable but the potential damage such a successful attack could cause was starkly highlighted.

Pegasus

Target: Anyone if a customer of NSO’s spyware dubbed Pegasus willed it

Motivation: NSO the private company responsible for developing Pegasus sold the product to governments and organisations around the world to supplement their cyber espionage ability. Journalist, politicians, and activists were all targeted and had their mobile phones compromised by the spyware.

Outcome: While NSO is a private company based in Israel its customers included the FBI and Mossad, along with other intelligence gathering organisations with questionable ethics and a complete disregard for privacy. The incident proved how vulnerable everyone was to potential spyware bought by governments.

To say that NSO is a nation-state group is a stretch, while it has been reported that Mossad made use of the spyware, any link between the Israeli state is speculation but within the realms of possibility. The numerous, far too many to detail here, indiscretions of Pegasus have been well documented but in summary the malware would be able to grant access to an individual’s smartphone as long as the product was paid for. The entire saga showed exactly how governments view individual rights to privacy. Many customers, despite NSO saying they vet all clients, used the product to keep tabs on political rivals and their families. Despite NSO being a private company its product Pegasus showed how far those in positions of power would go to maintain the status quo.

Conclusion

In concluding, it is clear that both government entities and private ones in Israel have advanced to cyber warfare and cyber espionage capabilities and deserve to be included in discussions surrounding the dangers posed by nation-state groups. In the next article we will look at how North Korea has blurred the lines between nation-state groups and those more financially motivated.

One Response