In late January 2014, a system administrator at Anthem, at the time one of the world’s largest health insurance providers, made a troubling discovery. The previous night, someone had used their account to execute several queries intended to collect sensitive customer data from Anthem servers.¹ In doing so, the attacker had stolen personally identifiable information (PII) associated with nearly 80 million Anthem patients.

In 2015, cybersecurity vendors Trend Micro and Symantec identified the attacker: dubbed Black Vine, they were believed to originate from a country in southeast Asia.² Moreover, the vendors’ research indicated that the operation wasn’t a mere grab at financial gain, as most had assumed, but instead one step in a large-scale espionage operation. I conducted some of this initial research; more information became available four years later, when a U.S. federal indictment accused multiple Chinese hackers of participating in the operation against Anthem. The indictment claimed the attackers had targeted a program responsible for conducting background investigations for U.S. citizens who apply for a security clearance. Anthem provided healthcare benefits to U.S. federal government employees, so by comparing the stolen healthcare data with travel information disclosed in security clearance investigations, the attacker was able to correlate a list of individuals they believed to be CIA intelligence operatives secretly working in Africa and Europe.³

This might all sound like the events from a good spy novel. But they actually took place. At the time, few people suspected that a cyberattack designed to steal healthcare data could lead to the exposure of U.S. spies. Unfortunately, as Anthem and many other victimized organizations have learned the hard way, militaries and governments are no longer the only targets of nation-state attackers. Nation-states succeed in targeting private-sector companies because the companies either don’t believe a foreign government will attack them or simply don’t understand how to defend against advanced attackers. These attackers are frequently misidentified as lesser threats, mishandled, or not detected at all. And while automated cyber defenses can identify and protect against most of today’s threats, they’re generally inefficient at stopping nation-state attackers when used on their own.

These attacks can have devastating impacts on private firms. Like in the Anthem attack, nation-state espionage often ends with sensitive customer data exposed and intellectual property stolen. Millions or even billions of dollars are lost when an attacker steals an organization’s intellectual property. In Anthem’s case, the total cost due to the breach is unknown; however, a U.S. court ordered Anthem to pay $115 million in 2018.⁴ The firm also faced a massive storm of negative publicity and had to notify its customers of the exposure. In addition, the research and development that goes into creating new medical technologies or pharmaceuticals requires great amounts of time and money. If an attacking government steals the resulting intellectual property, it can create the product without spending the same amount of money or time. Not only does this cause an unfair advantage in foreign markets, which benefit from the theft, but in some cases, it puts the originating organization out of business.

Nation-states often target companies working in finance, technology, healthcare, communications, and many other industries. But, for several reasons, these attacks are difficult to predict, and the reality is that anyone can be a target. For example, you’ve likely heard of the attack against Sony in 2014.⁵ A major media entertainment company, Sony does not fit the profile typically attractive to a foreign government. Nevertheless, North Korea brought the company to its knees using cyberwarfare tactics in response to the production of The Interview, a film spoofing the assassination of North Korea’s leader, Kim Jong Un.⁶ North Korea didn’t want the movie to be released and insisted it would publicly post stolen data unless Sony agreed to scrap the film. After stealing Sony’s data and private information, the attacker launched the second stage of their attack: sabotage. They used custom “wiper” malware known as Backdoor.Destover to delete computer and server data, destroying Sony’s internal infrastructure. The attack left Sony with little choice but to shut down operations.

Sony hired Mandiant, a third party specializing in incident response, to clean up and mitigate the threat. Unfortunately, by the time Mandiant began work, the attacker had caused too much damage. Sony’s stock took a massive hit, as did its public reputation. And even then, the attack did not stop. North Korea released additional troves of sensitive corporate email data, including salary and financial negotiations associated with Sony’s films. It stole movies that would have made the company millions of dollars and publicly released the films for anyone to download free of charge. Meanwhile, the millions of dollars spent to produce the films still had to be paid. Finally, Sony gave in to the attacker and decided not to release The Interview in theaters as North Korea demanded. Essentially, the adversary had won, silencing Sony. Eventually Sony did a limited film release, which made far less than initially projected. This is one of the most well-known and publicized examples demonstrating how nation-state attackers target private corporations.

Another example was in May 2021 when DarkSide, a Russian criminal gang, hacked Colonial Pipeline and deployed ransomware resulting in the disruption of the largest gas pipeline spanning the East Coast of the United States. However, the gang soon backtracked, claiming their hack of the organization was not intentional but instead was an accidental infection caused by the gang’s partner affiliate, which assisted in attacks for a share of the ransom profit. Regardless, the impact caused fuel shortages across the East Coast for almost a week. During that time, panic began to ensue as consumers found “out of order” signs at fuel stations. The DarkSide gang behind the attack soon disbanded and went into hiding. However, the loss from the attack cost Colonial Pipeline millions. The damage affected more than the pipeline: the attack and its effects on the United States resulted in public embarrassment to the Biden presidential administration when it could not arrest the attacker or bring gas online quickly.

Whether Anthem, Sony, or Colonial Pipeline could have handled these attacks differently is debatable, but none of the organizations could have entirely prevented attacks from a foreign government or advanced criminal attacker. That is because none of the organizations understood the severity of their adversary or how to properly respond. As you’ll soon learn in this book, the biggest difference between a traditional threat and an advanced attacker is the human sitting in front of the keyboard. Once mitigated, most threats are rendered obsolete; human-driven attacks, however, simply return to the system through another door. And unlike other threats, nation-state attackers are in it for the long game. They are patient, objective-oriented, and have vast resources at their disposal. For these reasons, mitigation is often the most misunderstood and mishandled aspect of defending against nation-state attacks. If you begin preparing for a nation-state attack while it’s underway, or even when you realize you’re being targeted, it’s too late.

Who Should Read This Book?

This book aims to provide an in-depth understanding of nation-state, criminal, and advanced ransomware attackers. Thus, anyone supporting private-sector, government, or military operations will benefit from the information presented in this book. In it, you’ll learn practical skills like how to attribute an attack to an attacker by correlating similarities between attacks; analyzing phishing emails, time-zone data, and other evidence; and tracking every stage of a multistage, targeted campaign.

The bigger goal is to teach this material to corporate defenders, who have far fewer resources with which to defend against advanced hacking operations such as those conducted by ransomware and government adversaries. We will discuss how nation-states differ from other threats, explain why ransomware attackers can be devastating to their targets, and teach you to identify, attribute, and mitigate their attacks through real-life examples.

How This Book Is Organized

This book is divided into two parts. The first discusses the most elaborate and devastating nation-state, criminal, and organized ransomware-driven attacks seen to date. We will shed light on the tactics used to compromise targets and the creative ploys of the attackers behind them. You’ll also begin to see patterns in how these attacks progress. These patterns should help you recognize certain common techniques when defending against novel attacks.

The second part of the book teaches analytical methods and models that can be applied when investigating advanced attacks. You’ll learn several powerful tradecraft tricks to remain anonymous while hunting adversaries. Additionally, you’ll explore intelligence techniques used to track and identify new adversary infrastructure and personas used by advanced cyber threats.

By combining the in-depth understanding of nation-state attackers offered in Part I with the solid analytical tradecraft explored in Part II, you will be able to use cyber-threat intelligence to better defend your organization against targeted attacks.