The Unfortunate Many: How Nation States Select Targets

Editor's Note: The following blog post is a partial summary of our customer webinar featuring Greg Reith, threat intelligence analyst at T-Mobile.

State-sponsored cyber attacks are easily the most intense, sophisticated, and well funded in existence.

They strike hard, fast, and often leave a trail of destruction in their wake.

Many governments are developing and deploying cyber capabilities at some level. Cyber defense is the bare minimum required in the current climate, and it’s reasonable to assume some level of offensive cyber capability.

It’s also safe to assume most governments are far from open about the extent of their cyber activity. Politically they maintain a level of plausible deniability. Militarily they cloak activity in secrecy and classification. As a result, attributing cyber activity to a specific state actor isn’t always a simple task.

But if you’re planning a cyber strategy for your organization, this level of ambiguity is a concern.

At a minimum, you need to know if your organization is likely to be targeted by nation-state actors. Ideally, you need to know why you’re being targeted, which of your assets are at risk, and when attacks will come.

Understanding Nation-State Motives

It’s easy to think of state-sponsored attacks as lightning bolts. Sudden. Destructive. Unpredictable.

But this mode of thinking is, in itself, highly damaging. If you understand why nation states get involved with cyber activity in the first place, you’ll find their attacks are more predictable than they seem.

Here are some of the most common motivating factors:

Military — Whether deployed in isolation or alongside physical force, cyber activity has proven hugely impactful in military settings. During its 2008 conflict with Georgia, Russia made extensive use of cyber warfare tactics. This culminated in several attacks against the Georgian government website, carried out concurrently with so-called “kinetic” military operations in South Ossetia.

Political — Politics has never been a clean sport, and nation states the world over have adopted cyber activity as a means of deploying political pressure. In 2008, Chinese “nationalist hackers” attacked CNN's website in response to the organization’s reporting on Chinese repression of Tibet.

Civil Disruption — In recent years, state-funded attacks on other nation states has become the norm. Critical infrastructure (e.g., telecommunications, utilities, etc.) and information outlets have been the most popular targets.

Activism and Propaganda — Whether it’s religious differences in the Middle East or ideological differences in the South Pacific, political activism and propaganda are nothing new. In recent years, however, cyber has become the go-to platform for this type of activity. Nation states, both large and small, have used cyber activity to do everything from promoting their agendas, to propping up proxy states. And, sadly, ISIS has been at the forefront.

Industrial Espionage — This type of cyber activity is dramatically underreported, and often financially motivated. China in particular has been notable for its willingness to engage in espionage activities, primarily in search of economic and technological advance. A 2015 report even tied the state-sponsored Chinese People’s Liberation Army (PLA) unit 78020 to massive scale military, political, and economic cyber espionage in the resource-rich South China Sea area.

Of course, a basic understanding of potential motives isn’t enough. If you’re going to develop a cyber strategy to cope with state-sponsored attacks, you’ll need to consider the most active players.

The Big Players

For those governments in the world with a cyber capability, each has its own needs, plans, and strategies.

For organizations in the western world, a few states in particular are worth paying close attention to.

China — As the nation with by far the highest level of covert cyber activity, China is the proverbial 800-lb gorilla. Its primary objectives are economic and technological advance, and recently its focus has been heavily on healthcare infrastructure and technology. China’s focus mainly on western capitalist states, particularly the U.S., and its throughput of cyber activity is phenomenal.

Russia — Although often thought to be primarily motivated by financial gain, a close analysis of Russia’s cyber activity points to a desire for geopolitical factors such as power projection. It has, for instance, routinely supported kinetic military operations with cyber warfare tactics. Unlike most other major states, Russia prefers to work through organized criminal groups rather than amassing a formalized cyber workforce, perhaps to distance the administration politically from cyber activity. As a major political player for decades now, the recent attacks relating to the U.S. election are indicative of the scale of Russia’s ambition.

Iran — Iran’s mission is clear: to assert power over the Middle East. In this pursuit, its cyber strategy has centered around minimizing western military and economic influence in the region, most notably that of the U.S. which maintains close ties with Israel and Saudi Arabia. In addition, Iran routinely uses cyber attacks in an attempt to destabilize nearby governments friendly to western nations, and has openly stated a desire to “wipe Israel off the map.”

Israel — Unsurprisingly, Israel’s motivation for cyber activity is highly political, and focused primarily on disrupting Iranian military and nuclear armament. Israeli state actors have occasionally worked alongside other nations (including the U.S.) in this endeavor, and are locked in a state of quasi-cyber warfare with Iran.

North Korea — On the global stage, the Democratic People’s Republic of Korea (DPKR) is the equivalent of a toddler having a temper tantrum. Historic analysis of DPKR cyber activity displays an odd mixture of revenge and paranoia on the part of Supreme Leader Kim Jong-un. There has been much speculation over whether DPKR was really responsible for the 2014 Sony hack, but either way the nation’s response to the film “The Interview” pretty much sums up its cyber strategy.

United States — As with most things the U.S. does, its cyber objectives are closely linked to national security. Of course, that doesn’t mean U.S.-sponsored actors content themselves with purely defensive activities. Among other things, U.S.-sponsored actors were instrumental in denying Iran nuclear capabilities via “Operation Olympic Games.” And in case the matter of partnering with allied states to carry out complex operations was in doubt, the Department of Defense’s cyber strategy is clear: “The Department of Defense must work with its interagency partners, the private sector, and allied and partner nations to deter and if necessary defeat a cyberattack of significant consequence on the U.S.”

Understanding each state’s motives is tremendously valuable from a planning perspective. Unless you’re an Iranian nuclear contractor, you’re unlikely to be targeted by Israeli state actors, and knowing this enables you to discount those threats from your planning.

On the other hand, if your organization has anything to do with U.S. telecommunications, Chinese or Russian state-sponsored attacks are a very real possibility.

Threat Drives Everything ... and Targeting Drives Threat

Hosting a recent webinar for Recorded Future, Greg Reith, threat intelligence analyst at T-Mobile, provided valuable insight in the cyber planning process used by most nation states. Most states, he explained, develop national five-year plans that inform all their cyber activities.

“2016 started the new five-year plan for China, Iran, Russia, North Korea, Israel, a number of other countries, and it depicts what they expect to do and accomplish in the next five years. You can historically correlate those five-year plans with cyber attacks, cyber attack strategies, and so on, because that's what they're using in a lot of cases to fulfill the objectives of that five-year plan.”

China, for example, has APT groups in place specifically to fulfill five-year plan requirements. Its latest plan, which commenced last year, appears to be heavily telecoms and technology focused. In particular, China aims to learn as much as possible about western methods and technologies, and use the information to design the “next step” in each area.

Speaking about China specifically, Reith continued: “They’re more communications focused this time than they were in the last five-year plan. We're more than likely going to see an influx of nation-state activity from those threat actor groups.”

Of course, nation states don’t simply publish their five-year plans for all to see.

Identifying the content of each nation’s plan requires the use a tool such as Recorded Future to identify and analyze hard-to-find documents like obscure think tank studies, national assessments and plans, research observations, crime-related statistics, and idealistic/motivational data.

Five-year plan data, once collected and analyzed, can also be validated by studying the behavior of threat actors known to be state sponsored.

“Once we have the data we can start looking in Recorded Future for things that validate what we see,” explained Reith. “We’ve been able to detect, for example, that there was a Chinese state threat actor who had never worked in the telecom field before that started to focus on reconnaissance and then got some tools from one of their system attack groups that focused around telecoms.”

These types of variations in nation-state cyber activity planning are important, because they could lead to a greater focus on your industry. If that happens, you need to be ready.

After all, if you’re in healthcare, you expect to be targeted by organized crime groups.

Medical records are highly sensitive, and fetch a premium price from the right buyer. But you don’t, necessarily, expect to be targeted by Chinese state-sponsored actors bent on espionage.

Recorded Future can help you identify and validate the content of nation-state five-year plans, to predict if and when state actors are likely to attack your organization. Not only does this give you a chance to prepare for these attacks, it gives you a chance to prepare specifically for those threats most likely to arise.

If you’d like to know more about how nation states plan and execute their cyber strategies, you can listen the the entire webinar with Greg Reith. Alternatively, contact us if you’d like a demonstration of how Recorded Future can be used to identify and prioritize threats, whether state-sponsored or otherwise.