Cyber Threat Landscape: Attackers and Operations

This is the second post in our blog series that aims to provide a basic overview of the contemporary cyber threat landscape.

In 1996, a group of RAND researchers published a seminal book on the then alien concept of “netwar.” They introduced and defined the term as an “emerging mode of conflict (and crime)” in which actors rely on small teams lacking a “precise central command” or a rigid hierarchy (Arquilla and Ronfeld, 1996).

Although the term is often identified with criminal activity or digital networked politics, the authors emphasized the potential impact it could create due to the diversity in its scope. Not only did it state netwar can be initiated for criminal, ethnic, nationalistic, religious, or political purposes, but it would not remain bound to online or offline status.

With the number of cyber groups that have surfaced and successfully made their mark on the digital ecosystem since then, many of the author’s insights still ring true today. The evidence of evolving tactics, attack methods, targets, and most importantly, the structure and identities of cyber groups – though highly evolved now – resonates with the primary concepts laid out in the paper.

Today, the entities that mainly constitute the cyber threat landscape can (generally) be classified into the following two categories.

1. Hacktivist

Hacktivist groups make use of computers or computer network systems to launch cyber attacks to achieve political gains or make political points. Some examples are Anonymous, AnonGhost, and the Syrian Electronic Army.

These groups generally lack steady income or the fiscal sponsorship to support a dedicated team tasked with recruiting individuals, coordinating activities, and developing long-term strategic planning. They are, however, adept at deriving geopolitical strength from magnifying issues, highjacking existing — usually oppositional — movements, propaganda, and converting amorphous discontent into a tangible form.

Common attributes of hacktivist groups are:

• Their ability to capture media attention.
• Their bold, ambitious, and recognizable aesthetics.
• Their participatory openness.
• The misinformation that surrounds them.
• Their unpredictability.

Two of the top hacktivist groups are discussed below.

Anonymous

“Anonymous” is a banner used by the splinter formations of technical – as well as non-technical – individuals and groups apt at conducting a tactically diverse range of operations. They have been remarkably effective at instilling concerns into governments, corporations, and intelligence communities around the world.

Tactics

Contrary to what the mainstream media would have you believe, the success of Anonymous stems not from the hacking campaigns, but, from its various forms of threat activity. Anonymous has conducted operations ranging from street protests to distributed denial of service (DDoS) campaigns. Each attack includes a carefully chosen target that will have high political, social, or symbolic value.

To make up for its limited human, financial, and technical resources, Anonymous has been know to practice smoke and mirror tactics – like taking false credit for an attack. This approach has created a mystic cloud around their reputation, making the group more elusive and unpredictable for threat intelligence analysts.

Operations

Each one of their operations can usually be linked to a particular IRC network, such as AnonOps, AnonNet, Voxanon, or a Twitter account dedicated to the operation, such as @OpLastResort.

Anonymous relies on the media to amplify its actions and amass support but owing to its past failures, it’s becoming increasingly independent from corporate and mainstream media to get word out or issue calls to action. One of its largest social media outshoots, Your Anonymous News (@YourAnonNews), currently has over one million subscribers and roughly 25 individual contributors.

It’s important to point out hacktivists groups such as Anonymous are deploying their socio-political muscle across the globe. The case in point is the Million Mask March. Such hacktivism is usually intended to create temporary unrest. It does, however, have a lasting impact on the socio-political fabric of any society which may result in an increased number of sophisticated cyber attacks, and ultimately shifting the (global) cyber threat landscape.

Syrian Electronic Army (SEA)

This group of prolific hackers, which started off in the mid-2011s as a loyal hacktivist group to President Bashar Al-Assad, has since then evolved into a full-blown cyber outfit capable of launching sophisticated attacks. No longer are their operations limited to pro-Assad defacements or spamming against rival governments, online services, and news agencies deemed possibly hostile to Asad’s government.

It is difficult to pin down the extent of their connection with the Syrian government. The domain name of SEA was registered by Syrian Computer Society – which was previously headed by Bashar Al-Assad, however, the possibility of state sponsorship cannot be completely ruled out. Even if a credible connection between SEA and Syrian government cannot be established, SEA as an entity provides government with operational covertness, anonymity, and strategic depth which would be too lucrative to overlook.

Tactics

The Syrian Electronic Army has used malware and modern hacking tools in past operations, however, their standard method of operation is now spear phishing; a craft they have perfected very well and have used in approximately 65% of their operations. They pay no attention to the international borders in the selection of their targets which include embassies, governments, military and law enforcement communications, newspapers, NGOs, and rival cyber outfits.

Also, SEA is believed to have used the following Remote Access Tools (RAT) and Trojan Horse applications in the past: Blackshades, DarkComet, Fynloski, Rbot, Xtreme RAT, and Zapchast.

Campaigns

SEA campaigns tend to have political implications but that’s not always the case. One example is the Tango mobile messaging hacks they executed which provided them with sensitive intelligence data.

2. State Sponsored Cyber Entities

The second category includes formal organizations, groups, and units backed by government institutions to conduct highly specialized attacks where clear targets are the focus. Their aim may vary from conducting cyber espionage to completely sabotaging the critical infrastructure of the rival state.

They are mostly well funded, enjoy advanced infrastructure capacity, and have the capability to launch massive, highly complicated, and expensive attacks. Stuxnet is an example of malware which was allegedly launched by Israeli and US agencies to sabotaged Iran’s nuclear program.

Following is a good example to illustrate this category.

China’s Unit 61398

Unit 61398 of the People’s Liberation Army is a Shanghai-based hacker group. Allegedly, the unit is responsible for conducting cyber espionage against at least 141 corporations that span over 20 industries, 87% which are headquartered in English-speaking western countries.

The exact size of Unit 61398 is unknown but the group operates out of a 130,663 square-foot, 12-storied facility which is big enough to employ hundreds or even thousands of staff members. Unit 61398 relies on some of the most advanced and carefully engineered attack vectors and methodologies, one of which is where its members, after intruding a network, periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property: technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and contact lists.

The Chinese government has denied its so-called connection to the unit, even saying the government itself has been targeted multiple times. However, the circumstantial evidence via open source intelligence makes the whole case particularly interesting.

Worth Noting

There are many cyber threat campaigns where the attacker goes unidentified. So, we could easily add one more category and call it “Miscellaneous.” This category mainly comprises of individuals or groups who could generally be referred to as opportunist or hobbyist. They have limited capabilities as well as resources, and can only conduct small or medium scale attacks (in most cases) for fun or for challenge’s sake.

Even though the frequency of attacks by unidentified actors far outweighs the activity by organized cyber groups, or that of state actors, their complexity remains subdued when compared to attacks by the latter.

Now that I’ve explained the main attackers in the current cyber threat landscape, I’m ready to go even deeper. In my next article, I provide a forecast for potential future hotbeds for cyber attacks.