Nation-state attacks aren’t like most threats you’ll encounter. Typical threats rely heavily on malware, so you can often mitigate them with automated defenses. Once antivirus vendors develop signatures for the malware, their software can intercept it without the need for human interaction. At that point, the criminal behind the threat will generally lack the time and resources to rethink the failed attack and move on to another opportunity.
When nation-state attackers fail, however, they will likely respond by dedicating more resources to the objective, which is how they have succeeded in targeting governments, militaries, and powerful private sector companies such as Google and Sony. Unfortunately, many organizations mishandle these types of attacks, leading to devastating compromises far worse than those caused by financially motivated attackers.
In June 2016, the North Atlantic Treaty Organization (NATO) recognized cyberspace as an official domain of warfare.1 Before then, domains of war consisted of physical environments with measurable boundaries, such as space, land, sea, and air. The cyber domain is virtual, however, and navigating it requires a different approach, as it has no borders. Furthermore, cyberattacks can directly affect combat in the other domains, leading military strategists to rethink how they plan for war.
This chapter will provide some historical background, ranging from the birth of cyber-espionage attacks to some of today’s greatest threats. Once you understand the motivations, tactics, and behaviors of nation-state attackers, you will be able to mitigate them more effectively. While we will focus on a brief time period, this background should provide you with a solid starting point for handling these threats.
In 1975, Ye Jianying, one of the founders of the People’s Liberation Army (PLA), presented a report to the Central Committee of the Communist Party of China titled “Strengthening Electronic Countermeasure Work.” The country hoped to surpass the United States as the world’s largest superpower by 2049, which marks the 100th anniversary of the founding of the People’s Republic of China. Ye’s report documented how China could use electronic warfare as a weapon to strengthen its military force and increase its position as a major world power.2
Ye was ahead of his time; few had considered the significance of computer and network technologies in the quest for world power. The Chinese government soon followed his advice, establishing training programs dedicated to cyberwarfare. In 1979, it founded the People’s Liberation Army Electronic Engineering College, which trained soldiers in blocking, deterring, and evading electronic radar communications.3 The war college fell under the guidance of both the country’s General Staff and the PLA. Twelve years later, the School of Electronic Countermeasure of the National Defense Science and Technology University began educating and training PLA soldiers. This academic program taught soldiers about the use of computers and networks, focusing on concepts, such as offensive computer operations, that remain relevant to cyber operations today.
These efforts marked China as among the first nations to begin developing cyberwarfare capabilities. Since then, it has implemented one of the world’s most successful cyber-espionage programs. By the 1990s, it began to fast-track the advancement of its cyber-based forces, and its military programs and research grew between 1991 and 2000. Based on publicly available information, it appears China has been executing cyberwarfare operations since at least 2003, largely motivated by intellectual property theft.4 Over time, the nation has used theft to increase its political standing as a world power. The following sections describe the country’s most significant actions in the cyber domain.
The year 2003 marked the beginning of a multiyear advanced espionage attack. Named Titan Rain by the U.S. Department of Defense, the campaign involved attacks against well-known U.S. defense and technical engineering laboratories.5 A year into the attack campaign, Shawn Carpenter, a security analyst at Sandia National Laboratories, was the first to identify the activity.6 Carpenter spent his days working at the lab under Lockheed Martin on a contract to develop and build U.S. fighter jets. In 2004, Carpenter found evidence that an attacker had breached both organizations and smuggled files onto attacker-controlled servers. When he investigated the activity, he located routers that led him to believe that the attack had originated in China. The United States later confirmed that China’s government had supported Titan Rain as part of a massive espionage operation designed to compromise and exfiltrate information related to the development of military-grade jets.
Carpenter identified the attack in part by noting the content in which the attackers showed the most interest: aerospace-themed documents. It’s likely China stole the research-and-development data necessary to produce state-of-the-art fighter jets. By reducing the time and effort needed to conduct the research, the country narrowed the gap between its military technologies and those of the United States. This allowed China to make similar jets without the years of time and money it took the United States.
Titan Rain was one of the first cyber-espionage campaigns the U.S. government publicly attributed to the Chinese government.7 The United States never made any official arrests (and political boundaries would have likely protected the hackers from any indictments). Since the discovery of Titan Rain, however, the United States has identified a growing number of nation-state espionage groups originating from China. Allegedly, China has launched some of the most successful cyber-espionage campaigns to date.
Another prolific China espionage group, known as Hidden Lynx, performed several high-visibility attacks in 2011 and 2012.8 Hidden Lynx targeted organizations associated with the U.S. Department of Defense (DoD), as well as companies in the information technology, aerospace, energy, and defense industries.
Once such an attack targeted Bit9, a security and endpoint protection company. Although the attack began in July 2012, the attacker remained on the victim’s network for at least a year before being identified and publicly disclosed.9 Hidden Lynx aimed to breach Bit9’s infrastructure, learn its environment and methods, and eventually steal its private digital certificates. It used a phishing email to breach the organization, along with custom-developed malware designed to allow undetected remote access. With this access, the attacker was able to learn the environment, increase its foothold, and penetrate internal targets.
The theft and fraudulent use of the certificate were especially crafty due to the way Bit9 software blocks threats. Bit9 works much differently than most antivirus or defense solutions. Instead of using malware signatures to detect malicious activity, it maintains a whitelist of files and applications that have permission to run in the environment. It adds new files to the whitelist by signing them with a legitimate certificate and then blocks any application not found in the whitelist. Since Hidden Lynx had access to Bit9’s genuine certificate, it could whitelist any file it wanted.
The Bit9 compromise wasn’t Hidden Lynx’s only high-profile attack. In the summer of 2013, the group leveraged watering holes as part of another multistep operation, dubbed VOHO. Also known as a strategic web compromise, a watering hole is a legitimate website taken over by an attacker and used to infect visitors. In this attack, Hidden Lynx compromised several sites often visited by political activists, educators, and people working in defense in the Washington D.C. and Boston regions.10 The attacker knew many of these users had affiliations with political and government organizations. Using a Java-based exploit, the attacker installed one of two malicious payloads, either Trojan.Naid or Backdoor.Moudoor, on the visitors’ devices. Once the initial attack took place, the attacker went through the infected systems and identified high-value targets to use in the second phase of the attack.
Another event in China’s espionage history took place in 2013, when Mandiant, a cybersecurity company, released a report outing a multiyear secret Chinese espionage operation. Mandiant identified the attacker as a subgroup within the PLA known as Unit 61398 and was able to provide satellite photos of the facility in which the unit operators worked. For a private company, the level of intelligence Mandiant collected proved novel. Previously, only government or military reporting had provided information of this depth.
Beyond the PLA attribution, Mandiant discovered details about the infrastructure the group, dubbed APT1, used in these operations. It exposed the group’s malware and hacking tools, which security vendors quickly employed to identify and defend against the group. For the first time, a private-sector company had forced a military organization to cease operations. With details of the unit’s cyber operations made public, Unit 61398 decommissioned its cyber infrastructure. As with Titan Rain, the U.S. government eventually confirmed that China was behind the attacks, as Mandiant had claimed, and the U.S. Department of Justice issued indictments against the PLA operators involved in espionage operations.
The indictment marked the earliest instance of the United States using federal indictments to attribute cyberattacks to a foreign government. The public disclosure and legalities sent China a clear political message: stand down cyberattacks against U.S. organizations. However, the Department of Justice likely knew it would be incredibly difficult, if not impossible, to detain the defendants, since they were members of the PLA residing on Chinese soil. The indictment never led to an arrest and was likely released as a political tool to put foreign governments on notice that cyberattacks against U.S. organizations would not be tolerated.
In July 2015, NBC News reported on the activities of China-backed espionage groups in the United States. It provided a map displaying red dots spread across nearly all 50 states. Each red dot represented “a successful Chinese attempt to steal corporate and military secrets and data about America’s critical infrastructure, particularly the electrical power and telecommunications and internet backbone.” In other words, China was interested in the infrastructure supplying both power and communications to the U.S. population.11
At that point, years of cyberattacks and other political standoffs had already weakened the relationship between China and the United States. The map disclosed by NBC, if accurate, indicated that these incidents had caused a significant amount of damage. With many U.S. companies and military organizations breached and their intellectual property stolen, the world possessed proof that China had successfully used cyberwarfare to increase its foothold as a major world power.
In late September 2015, China’s President, Xi Jinping, visited Washington D.C. to meet with U.S. President Barack Obama.12 Though the world leaders discussed several topics, the most impactful negotiations made during the summit concerned the use of cyber operations. The following is an assessment detailing overall agreement, as reported by Chinese media:
China and the United States agree that timely responses should be provided to requests for information and assistance concerning malicious cyber activities. Further, both sides agree to cooperate, in a manner consistent with their respective national laws and relevant international obligations, with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyber activity emanating from their territory.13
In essence, the two presidents agreed not to conduct cyberattacks against one another. But did this agreement come too late? At the time, many experts questioned its validity. Attacks had run rampant for many years, and neither country held a reputation for backing down from conflict. China had benefited economically, as well as politically, from the trade secrets and intellectual property obtained through years of operations. As evidence, China’s position in global politics and world power is much stronger today than it was in 1991, when it began discussing information warfare.
Several cybersecurity firms conducted studies to assess the legitimacy of the cease-fire. In 2017, Symantec, a company that tracks advanced attackers across the world, endeavored to determine if the volume of China-based espionage attacks against the United States had decreased in the two years since the agreement. Symantec identified Chinese espionage groups and created a list of the malware and hacking tools associated with each group. Not all tools used by espionage groups are unique or custom, but Symantec narrowed its list to include only those that it could uniquely attribute to an espionage attacker.
To do this, Symantec relied on data taken from attacks mounted with custom, unique, high-fidelity malware families. Since custom espionage malware is generally seen only in highly targeted attacks, Symantec could determine if the volume of activity had changed.14 The malware signatures it used to identify the use of these custom tools was taken from confirmed infected machines based on network detections. Symantec’s report concluded:
Reviewing detections of malware families used by cyber espionage groups, which Symantec believes are China-based, provided an insight into activity levels over time. Almost immediately after the agreement was signed, the number of infections dropped considerably. Infection rates continued to fall in the following months and remained low at year-end.15
In other words, the agreement was valid. China had, by all evidence, held up its side of the bargain. Other security vendors produced studies and reached similar conclusions. Still, many noted that while these groups had ceased targeting the United States, they had continued conducting espionage activities against other countries and targets.
Unfortunately, the cease-fire did not last long. In early 2017, Obama left office, and the newly elected President Donald Trump took a hard stance on China when it came to both cyberattacks and trade negotiations. As tension grew between the two nations, so did cyberwarfare. For example, in January 2018, a China-based espionage attacker known as Thrip began targeting satellite, geospatial, defense, and telecommunication companies, all but one of which were U.S. based. Since 2018, the China-attributed attacks against the United States have continued to rise.16
One evening in 1986, a system administrator at Lawrence Berkeley National Laboratory in California identified an intruder in the environment. The astronomer-turned-system-engineer Cliff Stoll had noticed, oddly enough, a 75-cent accounting discrepancy.
Stoll began to investigate and soon realized the incident was much more than an accounting error. The discrepancy represented nine seconds of unaccounted time and use of the laboratory’s computer resources. After some probing, he identified that a hacker had compromised the lab systems and acquired superuser privileges. He then traced the activity through the laboratory network and found that the attacker had used a 1,200-baud connection that passed through a call center in McLean, Virginia. It was unlikely that anyone at the call center had initiated the attack. More likely, Stoll decided, the attacker had used the call center as a proxy, making it appear that the attack originated from McLean while hiding their true location. He devised a plan to identify the attack’s actual origin.
With the help of his coworkers, Stoll connected several terminals and a teleprinter to the enclave of the lab’s network in which the attacker had shown the most interest. Stoll believed they could use the equipment to track, observe, and print log details recording the intruder’s activities. Stoll’s efforts allowed them to document every keystroke the attacker made within the purview of the lab’s access and visibility. Now Stoll had only to wait until he collected enough evidence to convince law enforcement, the government, or anyone else who would listen that something malicious was taking place within the laboratory’s sensitive networks and systems.
Stoll hoped to understand the attacker’s motivations to determine what the attacker was looking for in the lab’s environment. With this makeshift network monitoring system, he identified that the attacker was searching for military- and defense-related terms that would be of interest only to a nation-state. While network technologies were still in their infancy, the military used them widely to manage sensitive systems, as well as information related to satellites and missile ground station locations. These networks traversed the lab and its systems, making them an open target.
Besides searching for defense-related terms, Stoll observed the attacker planting malware, in laboratory systems, designed to find and capture credentials as the user entered them. Even worse, many of the administrative accounts for various technologies and systems still used the default username and password set by the vendor during production. In other cases, active guest accounts required no password at all to access the system. The attacker could log in to these easily.
In the end, Stoll succeeded in mapping out the attacker’s behaviors, actions, and times of activity, as well as the computer languages and operating systems in which the attacker was versed. The hacker seemed especially interested in a missile defense system associated with the names “Strategic Defense Initiative” or “SDI.” According to publicly available information, the DoD had formed this program, dubbed the Star Wars program, in 1984 to defend the United States against nuclear missiles.17
Cyber espionage was unheard of at the time, and Stoll had to conduct the majority of the investigation himself, on top of fulfilling his duties at the lab. Federal law enforcement initially had no interest in the breach, he claimed, because no direct financial theft had occurred. Even so, Stoll contacted the Air Force Office of Special Investigations, the Central Intelligence Agency, and the National Security Agency. Eventually, he got these agencies to listen.
To identify the hacker, Stoll decided to set a trap that would lure the attacker into a specific part of the system while allowing him to trace the malicious activity back to its source. In other words, he set up the world’s first honeypot. A honeypot is a cyber environment staged with fake systems and data, designed to deceive an attacker. This lure allows defenders to observe and learn about the attacker as they interact with the fictitious environment.
Knowing the attacker was interested in SDI-related information, Stoll devised the perfect setup. He created an SDInet account with fictitious but pertinent-seeming documents stored in its home directory. The attacker took the bait and left enough evidence behind for Stoll, with the help of authorities, to identify him as Markus Hess, a man located in Hannover, Germany. As it turns out, Hess was a student at the University of Hagen who worked as a hired operative for the KGB conducting hacking operations on behalf of the USSR.18
In addition to being the first known Russia-based espionage campaign, this event provided a wakeup call to both Berkeley Laboratories and the DoD. After the fallout of the attacks, Stoll described how the laboratory hardened its infrastructure, locked down accounts, and enacted password-change requirements. The SDI program went on for many years, and in 1993, its primary mission was overhauled from space to ballistic missile defense.
This wouldn’t be the last Russian cyber-espionage attack. Today, Russia operates one of the most advanced offensive cyber programs. As you’ll learn in this section, it has a track record of using malware, in conjunction with disinformation and cyber-deflection campaigns, to achieve its military and political objectives.
On April 2, 1999, in Dulles, Virginia, a team of FBI agents boarded Delta flight 2772 to Moscow to investigate a major cyberattack against the U.S. Department of State, dubbed Moonlight Maze. The agency suspected Russia’s involvement in coordinated attacks against the United States. In a prior probe, during which the FBI had consulted the U.S. Ambassador to Russia, investigating agents had gathered evidence suggesting that this incident was not an isolated attack but a long-term, multiobjective, and highly coordinated operation designed to steal sensitive data from the U.S. government.19
The investigation into Moonlight Maze had begun almost a year before the trip to Moscow as a joint task force between the Air Force Office of Special Investigations and the FBI. These agencies had found evidence of a cyberattack against the military, government, and educational organizations, spread over several countries, and they hoped to identify the attacker’s “modus operandi, trade-craft, and tools.” But to do so, they’d need to determine if a foreign intelligence service had directed the attacks. And if so, which one.
The task force had its work cut out for it; the attacker had compromised infrastructure from many DoD organizations, including the Wright Patterson Air Force Base and the Army Research Lab (ARL), and it had targeted unclassified military systems. Moreover, the adversary had leveraged infrastructure from several universities in the United States. The universities were not the primary targets; rather, the attacker compromised them and then used them as a resource in a later stage of the attack.
The FBI began by conducting interviews with victims in these universities’ IT and engineering departments. In particular, it asked about the victims’ account credentials and password use. Did they reuse the same passwords across accounts? Or share their credentials with others? Today, you’ll rarely find these questions asked as part of official investigations, as credential theft takes place daily. But back in the 1990s, these attacks were uncommon, and the FBI had experience conducting only human-based investigations, not cyber ones. When it became apparent that none of the credential-theft victims had knowingly participated in the attack, the task force turned its attention to cyber-related evidence. It collected system logs from many of the university victims for analysis.
Then, on July 29, 1998, a representative from the South Carolina Research Authority (SCRA) placed a call to an agent at the Moonlight Maze taskforce.20 The SCRA representative claimed to have been compromised by an unknown attacker originating from Russia. This attacker appeared to have used SCRA infrastructure to connect to a computer at Wright Patterson Air Force Base.
Here was the break in the case the FBI needed. SCRA had recognized it was under attack and successfully captured details, including file transfers from both the Wright Patterson Air Force Base and SCRA to a Russia-based computer. The logs, detailing stolen files and connections to and from SCRA, provided insight into the goals of the adversary. Documents of interest included engineering diagrams and research surrounding defensive technologies that detect and mitigate intercontinental ballistic (nuclear) missiles. The data the attacker sought could protect the United States against a missile strike. Only an adversary concerned about a nuclear assault would benefit from this technology. Still, there wasn’t enough evidence to conclusively identify the attacker.
But in January 1999, a series of new breaches took place against the Brookhaven National Laboratory, the DoD, and several DoD systems located in Vicksburg, Mississippi. In response, the DoD set up a honeypot, similar to the one used in Berkeley. Based on official reports, the DoD identified the attacker’s location by using a tracking code embedded within documents stored in the honeypot. The code allowed the DoD to trace the documents’ trail to the attacker’s true location. Using this method, the DoD learned the stolen files had been exfiltrated to an IP address associated with the Russian Academy of Sciences, a government-supported organization linked to the Russian military.21
Shortly after these events took place, the media caught on to the story. Reports from both ABC’s nightly news program and the New York Times detailed the multiyear attacks. Both identified the incident as a series of nation-state conducted initiatives, occurring over several years, to steal sensitive information from the United States.22 Yet public exposure did not deter the attacker. Despite global media coverage that attributed Moonlight Maze to Russia, the attacker continued to expand operations and acquire new targets. Shortly after, the Russian attacker breached two more DoD-affiliated research labs.
Eventually, the long-running espionage campaign came to an end, followed by the FBI’s trip to Moscow in April 2, 1999. During the trip, the FBI met with senior military personnel at the headquarters of the Russian Defense Ministry.23 According to reports, the FBI presented its case and data supporting its findings to Russians. At one point in the discussions, the FBI provided detailed evidence the attack originated from servers affiliated with the Russian Academy of Sciences. The next day the FBI agents prepared to depart their hotel, heading to the Defense Ministry headquarters to continue talks. Instead, however, their Russian escort redirected the group to a mandatory sightseeing excursion. Several days passed, and it became clear no help was coming from the Russians. Soon after, the FBI agents returned home. The FBI returned from Russia empty-handed, but with diligence and solid analytical practice, the FBI identified foreign infrastructure, tools, exploits, and malicious code related to Moonlight Maze. It also had strong supporting evidence that the attacks originated from Russia.
For additional information about Moonlight Maze, take a look at the detailed and accurate summary of the investigation written by Chris Doman, “The First Cyber Espionage Attacks: How Operation Moonlight Maze Made History,” at Medium.com.
As part of Estonia’s decommunization process, the nation’s parliament passed a law in February 2007 prohibiting the display of monuments that “glorify the Soviet Union.” At the time, Russian troops still occupied the regions of Estonia that bordered Russia, and although Estonia had first declared its independence in 1918, disputes persisted between the two countries regarding the ownership of those border regions.24
The passing of the monuments law led to the removal of a Soviet Red Army war memorial, located in the capital city of Tallinn. The statue, which symbolized Russian soldiers who lost their lives in the World War II battle against Germany, had remained a point of contention for many Estonians. Russian troops had stayed and settled in Estonia after the war ended, though many Estonians felt the Russians did not belong in their country. Russia had further complicated the relationship between the nations by ejecting or imprisoning Estonian citizens living in Russia.
The removal of the statue upset Russia, which publicly condemned Estonia’s actions. Shortly after, on April 27, a major distributed denial-of-service attack hit many prominent Estonian websites.25 The cyberattack knocked several of Estonia’s banks offline until mid-May, leaving customers unable to access their money. Many private-sector and government websites were also affected.
Perhaps surprisingly, it did not take a highly skilled hacker to shut down much of Estonia’s cyber infrastructure. Instead, basic denial-of-service attacks succeeded in overwhelming resources on target servers, rendering them unavailable to legitimate users. The denial-of-service attacks targeted web, DNS, SQL, and email servers throughout Estonia. During the attacks, infrastructure supporting the government, telecommunications, law enforcement, media organizations, and financial institutions was left unavailable, leaving the public without access to many critical services. Other political websites in Estonia were affected by defacement attacks. The defacements displayed pro-Russian messaging when browsed to by website visitors.
The attacker also used a more advanced tactic, which wasn’t common at the time: they created a massive botnet. A botnet is an accumulation of many compromised computers, known as zombies, that provide resources to power an attack. In the Estonia attacks, the botnet was created through a massive spam campaign that introduced a worm onto each victim’s system. Once infected, the worm leveraged the victim’s email account to send emails to their first 50 contacts within their address book. This may not sound like much of a threat, but the damage was significant. The attacker sent so many bot-created emails that the data flooded servers, causing them to crash. While Estonia officially blamed Russia for the attacks, Russia has denied responsibility and instead attributes the attacks to patriotic pro-Russian hackers. Estonia has not been able to provide evidence to validate its claim.
In 2008, Georgia began installing undersea cables designed to connect the country’s internet backbone to Western Europe. The connection would provide Georgia with enhanced internet access, opening it to technological development.26 But it also escalated tensions with Russia, which feared the project would strengthen Georgia’s political independence, allowing the nation to be less reliant on infrastructure inside Russian territory.
Near the project’s completion in July, the Georgian president Mikheil Saakashvili’s website fell victim to a distributed denial-of-service attack. Attackers flooded the website with ICMP, TCP, and HTTP requests, forcing it offline for more than 24 hours. This was the first sign of a significant attack that continued for several weeks.
On August 8, another denial-of-service attack hit Georgia as Russia began invading Georgian territory. At the time, most of Georgia’s internet traffic was routed through Russia, leaving Georgia vulnerable to Russian surveillance and cyberattacks. For the second time that summer, the presidential website, in addition to the websites for the Ministry of Defense, Ministry of Foreign Affairs, and several Georgian news organizations, came under fire. The next day several high-profile Georgian financial institutions central to the country’s economy were attacked. In addition to performing distributed denial-of-service attacks, the hackers had hijacked some websites and defaced others with Russian propaganda. Infrastructure in countries such as Turkey and Ukraine, which also provided internet connectivity to Georgia, also became targets, according to several news outlets.
Denial-of-service attacks and website defacements continued throughout August. By the end of the month, with the help of ISPs, Georgia had blocked their source and brought its infrastructure back online. Because the attacks coincided with the Russian invasion, many speculated that Russia must have been behind them. The accusation, however, has never been proven.
That same year, an unknown attacker breached U.S. DoD networks. In October, its cyber defenders identified malware, later dubbed Agent.btz (aka BTZ) by the security vendor F-secure, beaconing out to a command & control (C&C). The malware was extremely sophisticated and difficult to detect once present on victim systems. Unlike most nation-state attacks, the adversary used a nontraditional attack vector to obtain the initial access onto DoD systems. They strategically placed USB thumb drives infected with BTZ at locations near DoD facilities. According to military officials, at least one employee or soldier found an infected drive and inserted it into a DoD system infecting it with BTZ. The Department of Defense attributed the BTZ malware found on the drive to a foreign intelligence agency.27
The malware on the USB drive was a worm designed to spread to other systems once released into the target environment. As the malware infected new hosts, it searched for office documents, likely classified intelligence, and delivered it to servers under foreign control.28 It took the DoD more than 14 months to mitigate the threat due to the worm’s ability to spread rapidly. The initial approach, identifying each infected system and removing the BTZ malware, proved ineffective.
Instead, to combat the malware efficiently, the DoD analyzed the communication beacons sent and received by a C&C server. Then it set up a proxy server to sit between the malware and the real C&C server. The proxy allowed it to study the malware communication structure and analyze the beacon communications. Taking what it learned, the DoD successfully spoofed the server and sent a terminate command, ending the infection of DoD networks. According to the Washington Post, which broke the story, U.S. intelligence determined the campaign, nicknamed Buckshot Yankee, was most likely associated with a Russian intelligence agency.29 Analysis from security vendors identified that the times during which the attackers operated on victim networks matched the hours of a standard workday in Moscow. Furthermore, the research showed that prior to the initial discovery of the malware in 2008, attacks had been taking place for several years targeting many diplomatic, political, and military-affiliated organizations—all of which fit within a target profile that would benefit a Russian attacker.
In January 2013, Kaspersky, a Russian cybersecurity and antivirus company, released a report detailing research into a long-running espionage campaign designed to steal information from “diplomatic, governmental, and scientific research organizations.” The initiative had targeted victims in various countries, mostly associated with a region of Eastern Europe comprised of former USSR members. Other targets were located in Central Asian countries.30 While not discovered until 2013, the activity, dubbed Red October, may have begun as early as 2007, around the time of the Estonia conflict.
Kaspersky’s analysis concluded that several of the attacker’s targets aligned with the profile of a nation-state attacker. These included military and government organizations, diplomatic embassies, universities, energy companies, and aerospace organizations specializing in rocket engineering. That may sound like a broad spectrum of victims, but more than six years of targeted attacks on these organizations suggest they were specifically chosen, not targets of opportunity. Often, groups operating in these industries have robust defensive measures and monitoring capabilities. Despite this, the attacker was able to use malware designed to identify, collect, and steal particular types of information, including Microsoft Office–related files, email, and sensitive data stored in databases.31
The campaign is still one of the most advanced attacks ever conducted. The precision of the execution, sophistication of the malware used, and level of success achieved by the attacker all surpassed other initiatives. The fact that the campaign evaded detection by automated security solutions, defenders, researchers, and governments from 2007 until at least 2013 speaks volumes.
Particularly impressive is the malware used in Red October, named Sputnik by Kaspersky researchers, which can infect a broad spectrum of targets outside of traditional computer systems like mobile phones; networking devices like routers, switches, and firewalls; and USB devices connected to infected systems. The malware is module-based, making it useful in many environments and infection scenarios without requiring code modifications. It has modules for reconnaissance, credential theft, email theft, USB drive data theft, keylogging, persistence, spreading and distribution, and mobile exfiltration.
The design and technical capabilities of several of the modules distinguish it from other malware seen in the wild. For example, the email module provides the capability to steal content and databases from email servers. If a victim connects a phone to a computer infected with Red October malware, the mobile module steals information from that device, such as the victim’s address books, call logs, and even the contents of text messages.
The attacker used Sputnik’s credential-gathering module to increase its foothold into the target environment. Higher-level credentials provided them with access to sensitive applications, data, and administrative tools. The attacker also used these escalated privileges to ensure the persistence module could reinfect victims if the malware had been deleted or removed from the environment.
The USB module, too, has several interesting features. As one would expect, it provides the malware with the capability to steal data from connected USB devices. It can also recover previously deleted data from the drive itself. In situations where the malware couldn’t establish a network connection, such as in air-gapped systems and networks, the USB module could still run other modules and save the collected data on to the USB drive.32
Another feature of the malware’s sophistication is its vast C&C infrastructure. In short, several layers of proxy and relay servers built between the attacker and the infected victims offered protection from detection. Sputnik also transmitted meaningless data along with victim data to make the activity harder to identify and analyze, and false clues had been written into the malware, making attribution difficult. For example, lure documents associated with Red October contained exploit code previously used by a known Chinese nation-state attacker. The code had since been made publicly available, so its presence in Sputnik served to throw off investigators.
Further analysis identified several Russian strings present in the malware code. The Russian attribution, though not backed by substantial evidence, is widely accepted, though some argue against it, pointing out that Red October’s targets included several Russian government entities, such as the Foreign Ministry in Moscow. Once publicly outed, Red October’s operations ceased in late 2013. The attacker abandoned its infrastructure, and the group temporarily disappeared. After a short break in operations, the attacker re-tooled and restarted operations, albeit under the name CloudAtlas and with new malware and hack tools. Its targets remained the same.
Iran has spent more than two decades developing the infrastructure to conduct state-sponsored espionage and sabotage campaigns. With the aim of achieving political, religious, and military dominance in the Middle East, it has targeted adversarial foreign governments, including the United States and several Middle Eastern countries. Iran also uses cyber operations to track and spy on its citizens, whose views often conflict with the government’s Islamist doctrine. Iran banned social media for this reason, and prohibited VPNs and encrypted messaging applications, out of fear that citizens could bypass government-controlled surveillance and filtering.33
Reporting suggests that the Islamic Republic of Iran began conducting state-sponsored cyber operations around 2007. However, the evolution of Iran’s cyber capability goes back to the early 2000s, when several Iranian hacking groups caught the public’s attention.
In February 2002, Iranian hackers formed the Ashiyane Digital Security Team, now a well-known Iranian hacker group. Like other early adapters of hacking technologies in Iran, Ashiyane’s initial notoriety stemmed from highly visible website defacements.34 The group defaced many websites, including U.S. government and Israeli websites such as NASA and Mossad, with pro-Iran messaging and statements of support for the Ashiyane hacking team.
The group also hosted a web forum, where users discussed various cybersecurity topics. The forum served as a catalyst for the Iranian hacking community, as anyone who joined it could hack under the name Ashiyane. Even so, the original dozen members made the group well known. Most famous was the founding member, Behrooz Kamalian, often called by his hacker moniker Behrooz_ice.35 More recent defacements conducted by forum members include the alias of the group’s original members of Ashiyane. It is unlikely Kamalian or any of the other originating members took part in any of the recent attacks. Instead, their names were posted as an homage by Ashiyane supporters to honor the founding members.
Ashiyane quickly grew its reputation as Iran’s top hacking group. In an attempt to legitimize itself, it founded the Ashiyane Digital Training Center. The training center offered both hacking and security courses for profit but has also remained active in hacking operations.
Several years after Ashiyane, another hacking organization appeared, the Iranian Cyber Army (ICA). Since 2009, ICA has targeted organizations and individuals believed to oppose Iran. The group conducted cyberattacks against Twitter, the Chinese search engine Baidu, and many websites of political figures who opposed former President Ahmadinejad. Today, it’s widely recognized to be an arm of the Islamic Revolutionary Guard Corps (IRGC), a branch of Iran’s military.36 In 2010, the commander in chief of the IRGC told a newspaper, “Today we take pride in our (Iranian) Cyber Army founded by us, which is the second strongest Cyber Army in the world.”
Two pieces of evidence link Ashiyane to the ICA. First, Ashiyane and ICA posted the same word-for-word pro-Hezbollah messages on defaced adversarial websites. Second, several individual hackers support operations across both groups.37 Also, while circumstantial, both groups originate from the same part of Iran.38 To explain the overlap, some suggest that ICA isn’t a standalone organization at all, but instead a persona invented by Ashiyane to conduct operations for the IRGC.
Further support of these claims appeared in the Official Journal of the European Union in October 2011. According to the European Union, Kamalian, as head of Ashiyane, directed the IRGC’s operations. Figure 1-1 shows a passage from the Official Journal of the European Union, Council Regulation (EU) No 359/2011 of April 12, 2011.
The restrictions are primarily economic and designed to apply financial pressure. Restrictive measures regulate and prevent the named individuals from having access to any economic resources. Financial institutions cannot process transactions and are required to freeze funds associated with the individual and/or business entities they own. The European Union placed Kamalian on the restrictive measures list due to his involvement with the IRGC attacks against human rights in Iran.39 According to public reports, Kamalian assisted in using cyber means to identify supporters of the anti-Ahmadinejad protest who were arrested, tortured, raped, and, in some instances, shot by members of the IRGC.40 Further information linking Ashiyane to the IRGC came in 2016, when the DoJ indicted several Iranian hackers accused of conducting attacks against the U.S. government, financial institutions, and social media platforms. The attacks resulted in the loss of tens of millions of dollars in remediation costs due to the damage caused from the attacks.41 Two of the indicted hackers are members of the Ashiyane Digital Security Team.42
While Ashiyane is not the only hacking group associated with the IRGC, it’s the primary organization that can be traced back to what has grown into the cyberwarfare component of Iran. Other groups have played influential roles, most of which share a common denominator: their association with Ashiyane.
Despite the deep roots with the IRGC and online Iranian hacking communities, Ashiyane disappeared around mid-2018 without official explanation. All Ashiyane’s infrastructure went dark, and its forums and websites no longer resolve. Kamalian himself temporarily disappeared, only to re-emerge several months later, when he started a new business working with Iranian celebrities who have hacking and cyber-related concerns. While not confirmed, media and security vendors speculate that Ashiyane’s infrastructure, under Kamalian’s direction, was involved in hosting online gambling services. If true, this could explain the halt in Ashiyane operations, as gambling is a crime in Iran.43
Iran had designed its many denial-of-service attacks to make headlines, which sent strong messages to victim organizations. It seemed that compared to nations like China, Russia, and the United States, the country lacked the technical sophistication to conduct advanced espionage attacks.
All of that changed during the summer of 2011. An Iranian citizen, who used the online moniker Alibo, began to have trouble accessing his Gmail account. For several days, whenever Alibo logged in, he received a security warning questioning the validity of the certificate used to authenticate to the Gmail website.44 Alibo accepted the risk, trusting the certificate’s validity—despite the warning. Since Gmail was a long-standing, secure, and globally used service, he assumed the issue likely had to do with some technical error rather than a security incident.
Several days later, however, he found he could no longer access his email account. In an attempt to troubleshoot the issue, Alibo implemented a VPN service as a proxy. This allowed him to use infrastructure outside of the Iranian IP address space. To his surprise, he could find the Gmail login page and access his email, as long as he had the proxy enabled. When he turned the proxy off, he continued to find Gmail unavailable.
Soon Alibo realized the restriction affected only Iranian-based users. He wasn’t positive why. Iran had not yet implemented any official internet restrictions, so Alibo could not assume the Iranian government had definitively caused the restriction. However, he could not rule it out either.
To address the issue, Alibo posted to Google’s online support forum, asking for assistance. Several days later, Google provided an explanation—though not on its support forum. Instead, in a public statement, Google announced it had fallen victim, through a third party, to an elaborate SSL man-in-the-middle attack used to survey email activity of Iranian users.45 Google claimed an attacker had fraudulently obtained access by leveraging a fraudulent SSL certificate issued by DigiNotar, a root certificate authority. Google claimed DigiNotar should not have issued the SSL certificate and later revoked it.
Man-in-the-middle attacks are not especially sophisticated. In simple terms, a man-in-the-middle attack (MITM) is accomplished by intercepting traffic as it passes between the originating and destination systems. For this reason, it is standard procedure to use encryption with SSL certificates to protect the data. The long-term, multipart plan Iran had to conduct before launching such an attack required patience, planning, and careful execution. Specifically, Iran had to compromise and take over an entire company—DigiNotar, a legitimate certificate authority—to create and issue its own SSL certificates to decrypt the intercepted data. Digital certificates are designed to prevent websites and their traffic from being intercepted or mimicked. Without protection, an attacker can view the traffic between the end user and the destination website without the cover of encryption. That is exactly what the attackers did in this incident.
Today, almost all websites use certificates to validate who they are and to protect data in transit by encrypting it. An early adapter of this security requirement, Google relied on SSL certificates to authenticate and send data between Gmail servers and end users. The only way to view the decrypted traffic, or validate the connecting server’s authenticity, was to access the certificate itself. Iran understood it would be difficult to achieve this by breaching an established company like Google. Instead, it crafted an attack against the Dutch certificate authority DigiNotar to obtain access to the issuing certificate authority.
Breaching the company was likely not an easy task. DigiNotar was a legitimate organization in good standing within the certificate authority community, and it had many security standards in place. In addition to cyber defenses, physical security boundaries prevented access to the most critical areas of the company’s facility. DigiNotar used a combination of biometrics and PIN codes to grant people access. These protected rooms housed the systems and servers most critical to DigiNotar’s trusted certificate infrastructure. There is no way to know for sure if the physical restrictions DigiNotar claimed to have in place actually existed or if they would have prevented this type of compromise from taking place. If so, the attacker would need insider access. However, providing physical and digital safeguards makes this type of compromise extremely difficult. While speculation and theories exist, the exact details as to how the attacker bypassed DigiNotar’s physical access restrictions are unknown. However, researchers did investigate how the attacker breached the various network enclaves, and they included this information in a now-public report conducted after the initial breach.46
Once the attackers had access to DigiNotar’s critical systems, they began to create fraudulent certificates. Devices considered these certificates to be authentic, since a legitimate certificate authority created them. After creating a certificate for Google, the attackers could intercept the traffic of legitimate users in Iran as they attempted to access their Gmail accounts. The government of Iran used the certificate to place a server between Iranian citizens and the legitimate Gmail infrastructure, intercepting traffic as it passed. This allowed the government of Iran to intercept, read, and monitor all of its citizens’ Gmail messages. In short, Iran created a mass email surveillance program for all Gmail users in Iran.
While Iran advanced its cyber operations in this attack, it was unable to maintain the operation and eventually gave up its identity through undisciplined operators. No one could have proven that Iran had executed the attack. However, the attacker made several connections to DigiNotar systems while forgetting to use a proxy, therefore leaving the true Iranian IP address exposed. Once identified, investigators were able to reverse the activity, map the attacker’s actions step-by-step, and build out the entire attack profile, leaving no question that Iran was behind it.47 In the end, the attack lasted only a brief time. However, it was one of the most successful attacks against public infrastructure ever conducted by a nation-state attacker.
On August 15, 2012—a religious holiday, when very few employees were working—a massive sabotage campaign began deleting data from systems and servers across Aramco, a large state-owned Saudi Arabian oil company. Within a day, 30,000 systems had been wiped of their data and replaced with the image of a burning American flag. They were left inoperable, devastating the organization’s corporate networks. At the time of the incident, the New York Times estimated that three-quarters of Aramco’s corporate PCs had been wiped.48
This was one of the most destructive sabotage campaigns the world has seen to date. In response to the attack, Aramco was forced to take its entire corporate infrastructure offline, something unheard of today, especially for one of the world’s largest oil conglomerates. Within hours, the entire company was relying on typewriters and handwritten ledgers. Instead of email, Aramco had to use interoffice paper mail. The organization used voice-over IP phones as well, which require a network connection, leaving Aramco without phone service in many of its offices.
Luckily, the systems and networks responsible for oil production were segregated from the corporate networks, saving Aramco from complete devastation. If the malware had successfully destroyed the control systems responsible for oil production in a similar way to the destruction that took place on the corporate network, Aramco would have likely suffered a much larger financial impact.
The initial infection likely began when an insider intentionally inserted a USB device containing the Shamoon wiper malware into an Aramco system, though simultaneous spear-phishing emails also exploited vulnerabilities in Aramco systems. Multiple individuals and groups claimed credit; on the day of the Shamoon wiper attack, two online personas, the Arab Youth Group and the Cutting Sword of Justice, announced they were behind the attacks. The following is a message that the Cutting Sword of Justice posted to Pastebin, a text-hosting website:
We, behalf of an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt and . . ., and also of dual approach of the world community to these nations, want to hit the main supporters of these disasters by this action.
One of the main supporters of this disasters is Al-Saud corrupt regime that sponsors such oppressive measures by using Muslims oil resources. Al-Saud is a partner in committing these crimes. It’s hands are infected with the blood of innocent children and people.
In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours.
This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression. We invite all anti-tyranny hacker groups all over the world to join this movement. We want them to support this movement by designing and performing such operations, if they are against tyranny and oppression.
Cutting Sword of Justice49
Regardless of how the first stage of malware was delivered, once present, it installed other components to further infect the victim system. The initial phase of the attack established a foothold within the victim environment. During this phase, the attacker enumerated devices on the network and stole credentials to escalate privilege and increase their access. Once they had the correct credentials, they used them to access high-value systems, such as domain controllers and file servers. Next, wiper malware was placed onto the systems throughout the environment. To avoid detection, the attacker disguised the malware as a legitimate driver, blending in with other system components. Finally, when everything was in place, the wiper was executed, destroying the master boot record on the victim system.
The security community widely believes Iran to be the real perpetrator. Several other waves of attacks involving Shamoon malware have taken place since the 2012 incident. In each wave, the attacker has become slightly more advanced, learning from previous mistakes. The hacktivist groups that took credit for the initial attack disappeared after the 2012 campaign. This is likely because they were attacker-created personas, brought to life through social media and used to throw off investigators. Fake personas, fraudulent stories, false flags, and destructive malware are all examples of why nation-state attackers, like Iran, are so different from any other cyber threat that exists today.
Security vendors continue to track the many Iranian cyberattacks, which, as illustrated in the examples discussed thus far, differ from many of the other nation-state attackers, as they primarily use contractors to support Iran’s operations.50 Unlike government or military operatives, contractors come and go from one job to the next. This influx results in a lack of knowledgeable, experienced operators to work on long-term offensive operations. Despite this shortfall, Iran has found success in effectively conducting operations against targets of interest in the Middle East.
Of all the countries discussed so far, the United States has been the most effective at eluding public exposure. In fact, until a former NSA contractor, Edward Snowden, released more than 9,000 classified documents in 2013, we knew very little about cyber operations conducted by the United States.
But on April 23, 2015, the United States released 52,000 previously classified documents, providing historical insights into U.S. espionage operations. Among other topics, the trove of intelligence detailed reporting surrounding the career of the American codebreaker William F. Friedman. Let’s begin our discussion there.
Today, when people discuss secure messaging, most think of the encrypted communications occurring between modern computers. But this cryptography has its roots in World War II, when the German military developed the first cryptographic machine to secure communications between its military elements. The device, known as Enigma, used a ciphertext controlled by a mechanical rotor and a system of lights to encode and decode messages.
Germany, however, was not the only nation during the war to develop a cryptographic communication device. In 1933, the same year Hitler took power in Germany, a businessman named Boris Hagelin founded a small Swiss company known today as Crypto AG. Hagelin opened his headquarters in Stockholm, Sweden, and began producing cryptographic communication devices. Soon the United States and Britain were using these during the war.51 Similar to the Enigma, Crypto AG machines relied on a custom cipher mechanism to transmit encrypted messages, although they were not as technically sophisticated as their German counterpart.
Despite this, the war supplied Crypto AG with a steady stream of income. When it ended, the company needed a new way to bring in revenue. Hagelin turned to William Friedman, who was famous for breaking the “Japanese purple machine” cryptographic devices, which also used similar technology to the Enigma.52 During the war, Hagelin had worked with Friedman, and the two had developed a close friendship. Friedman had since become a chief cryptologist for the U.S. Signals Intelligence Service.
According to reports now declassified by the U.S. government, Friedman met with Haglin many times between 1955 and 1969. Figure 1-2 shows one of these declassified reports.
These reports, which detail conversations between the two men, describe Hagelin’s plans to significantly increase Crypto AG’s production and to release a second model of its cryptographic machine, which was scheduled for production shortly. This second model was more sophisticated than the first, Hagelin told Friedman, and included many technological advances compared to previous devices. Hagelin agreed to provide the new model to the U.S. government for review before it went to market. This alone provided the United States with an obvious strong advantage, since the technology was cutting-edge at the time.53
But the intelligence shared between the men went further. Several meetings took place between the two men over the next year, which Friedman detailed in official government reports. In these meetings, the men discussed potential Crypto AG customers, including government organizations in Italy, Egypt, Jordan, Iraq, and Saudi Arabia. In total, Hagelin provided details of his interactions with more than 30 nations that wanted to purchase Crypto AG equipment.54
In addition to his recollection of events, Hagelin provided the U.S. government with copies of sensitive correspondence between each potential customer, their intended use of cryptographic devices, and any concerns addressed. For example, Hagelin detailed his interactions with government officials connected to the French politician Patrick Ollier, who discussed “plans for improvement in crypto affairs.”55 These plans involved building a Paris factory with all the tools necessary to develop the secret devices’ hardware. Their cryptographic cipher and the technical components within the machines, however, would all come from Crypto AG: France received design specs, equipment, and experts from the Swiss company, unaware that Hagelin had shared these details with the Americans. Similar situations unfolded with top officials from governments worldwide.
In one of the meetings between the men, Friedman made an important proposal to Hagelin. Unfortunately, we don’t know for sure what he said; the United States redacted this section of the report. However, it did disclose one detail: Crypto AG would provide the United States with copies of all customer correspondence and sales orders moving forward.
In 2020, based on their own investigation and information contained in the declassified reporting, the Washington Post published an article explaining what may have taken place in Friedman’s proposal:
Hagelin, the founder and owner of Crypto AG, and William Friedman, the founding father of American cryptology, set up a system in the early 1950s that allowed the NSA to dictate where the company sold “breakable” communications devices and where it sold unbreakable machines.56
If true, this would be one of the first supply chain attacks, one in which a government obtained hidden access, similar to a backdoor, that allowed them to monitor a foreign government’s correspondence.
Crypto AG went on to develop and sell cryptographic technologies until 2018, when the company sold. But the release of information about its 60-year-long secret relationship with the United States decimated the company’s reputation, making it difficult to continue operations.
In May 2010, concrete walls in Natanz, Iran, rumbled and shook. Nuclear centrifuges were spinning out of control, damaging the systems and sensitive equipment responsible for uranium enrichment at a Fuel Enrichment Plant (FEP). Part of Iran’s uranium enrichment program, the Natanz FEP is mostly underground, hidden from public view in the city’s heart. The site operates more than 7,000 centrifuges used to extract U-235, one of two isotopes found in pure Uranium and the key ingredient necessary to develop a nuclear weapon.
Because of their molecular properties and weight, when the centrifuges spin at a high-speed rate, the U-235 and U-238 isotopes separate. Additional centrifuges, chained together, introduce a gas to absorb the U-235 isotope. The gas provides a medium to remove and transport the U-235 molecule, which is then cooled and processed into a solid state used to build a bomb.57
The Stuxnet malware developers had a vast knowledge of this process and of the plant’s specific systems that carried out uranium enrichment. Stuxnet interfered with or altered the speed centrifuges spun, causing them to fail. As the centrifuges derailed, system operators and scientists began frantically checking the control and safety systems accountable for monitoring the plants’ operations. Oddly, no alerts indicated the centrifuges were failing. Centrifuge failures began to plague the plant, significantly setting back Iran’s nuclear development schedule.
A clue to the source of the failures came one month later, when the programmable logic controllers (PLCs)—units responsible for controlling and monitoring plant operations—began to reboot randomly. The plant’s computer systems administrators became suspicious that something or someone in their network might be causing the problem. To investigate the issue, plant administrators sent logs and data to VirusBlockAda, an endpoint security vendor based in Belarus.
The PLC software interacted with Microsoft’s Windows operating system, so to identify the problem, VirusBlockAda researchers teamed up with Microsoft. The team soon identified foreign code present within the plant. But finding this code was only the beginning; to their surprise, the suspicious code had introduced four zero-day exploits into the environment. A zero-day exploit is a type of exploit that takes advantage of a publicly unknown or unpatched vulnerability. Specifically, it exploits vulnerabilities that cannot be protected against, because the vendor has not provided a solution to resolve it. Usually, a fix will come later in the form of a software patch. To this day, finding one zero-day exploit in an environment is unusual. Discovering malware that uses four zero-days is almost unheard of.
The malware leveraged these exploits to access plant systems and install drivers that loaded the payload—which the Symantec researchers dubbed Stuxnet based on the names of files, .stub and mrxnet.sys, found in the malware.58 Stuxnet was a worm that could replicate and spread, silently looking for a specific type of system: the PLC controllers responsible for the gas centrifuges at the Natanz facility.59 The malware could infect the PLC controllers on their own if it successfully executed at the Natanz FEP.
The malware’s sophistication strongly suggested that it was the work of a nation-state attacker. Researchers discovered four more exploits used in the malware in addition to the zero-day exploits identified. Furthermore, the attacker’s knowledge of the FEP, their ability to get the code into a secured environment, and the overall complexity of the attack made Stuxnet one of the most widely recognized attacks to ever take place.
The United States soon emerged as a prime suspect of the attack. Years earlier, in August 2006, Iranian President Mahmoud Ahmadinejad announced that Iran had achieved the uranium enrichment goal needed to support its nuclear program. Iran had previously signed an agreement stating it would not develop nuclear technologies for military purposes, so the program’s continuation upset several nations, including the United States, Israel, and neighboring countries in the Middle East. U.S. President George Bush issued a warning to Iran that substantial consequences would ensue.60
Over time, U.S. sanctions against Iran took a toll on the economy. But with its political and economic power weakened, Iranian leadership doubled down on the effort to develop nuclear weapons. Was Stuxnet the beginning of the consequences President Bush spoke of? Many believed so. Disrupting the centrifuges and enrichment of uranium significantly slowed Iran’s plans to create a nuclear weapon. Several years had passed since President Bush had made the statement; however, an elaborate operation like Stuxnet would have likely taken time to plan and execute.
The United States was not alone in threatening Iran. In 2009, Israeli Prime Minister Benjamin Netanyahu made a public statement directed to then U.S. President Barack Obama, summarized by The Atlantic in the following headline: “Stop Iran—Or I Will.”61 Netanyahu did not apply a timeline to his ultimatum; however, according to one of his aides, the United States had months, not years, to respond.
For these reasons, once Iran had identified Stuxnet malware as the cause of the centrifuge failures, it treated both the United States and Israel as the likely culprits. Reza Jalali, head of a military unit in charge of combatting sabotage, publicly attributed Stuxnet to the United States and Israel.62
While Iran did not publicly disclose evidence of their attribution, the threats made by Israel and the United States, along with evidence provided by security vendors, provided additional clues to support the theory. To better understand why the attacks took place, Symantec conducted extensive research on the Stuxnet payload. The company discovered that it had existed long before 2010, when it first appeared in the wild. Further evidence exists showing Stuxnet development began several years earlier, during May 2005. However, it likely did not make its way onto the FEP until 2009, just one year before Stuxnet’s discovery. To execute the attack, the adversary needed to get the malware onto the network-controlling systems at the FEP.
According to media reports,63 the attacker placed Stuxnet injector code onto USB devices. Symantec’s technical findings identified a USB module designed into the Stuxnet malware, corroborating the claims.64 The media claimed Stuxnet’s orchestrators strategically placed the USB sticks at the five companies with trusted relationships to the FEP. The attacker likely knew the FEP’s internal networks, and systems would have strong security defenses. It would take an attacker with vast intelligence-gathering capabilities to identify a nuclear facility that is primarily underground and gain insider knowledge of its technical environment.
From an attacker’s perspective, targeting secondary organizations with USB devices made sense. The partnering companies developed equipment and software for the plant and, more importantly, were not as secure or well protected as the FEP. While never proven, reports suggest that employees found the USB device on the ground in the company’s parking lot. Once a user plugged the device into one of the company’s systems, the code injected, and the infection spread, eventually making its way to the FEP via its worm capability.65
While the time and date of initial infection are unknown, Symantec researchers also found the Stuxnet payload in a public malware repository. These samples, labeled with the version number 0.500, had been compiled years earlier, in 2005. Many antivirus programs scan public repositories for malware. Knowing this, it is possible that Stuxnet developers used the repository to test that antivirus software could not detect Stuxnet before using it in operations. Additionally, an anonymous individual registered domains later used as C&C servers for Stuxnet operations. The domain registration took place the same month as version “0.500” malware was compiled.66
As the attacks temporarily slowed Iran’s nuclear development program, they effectively functioned as the world’s first known military-grade cyber weapon. This event also catalyzed Iran’s offensive cyber operations, which began ramping up in 2011–2013. Today, Iran’s cyber operations are one of the biggest cyber threats to the United States and Israel.
The United States continues conducting cyberwarfare against Iran, as well. Between May and June of 2019, six attacks on oil tankers took place in the Strait of Hormuz; in some instances, unmarked vessels placed explosive devices on the side of tankers. In other instances, ships came under fire from torpedoes.67 The United States accused the Iranian government of orchestrating the attacks to disrupt the world’s oil supply, and over the next year, the United States, Great Britain, Israel, Bahrain, and Australia sent ships, jets, and submarines to secure shipping routes through the Strait of Hormuz. In addition to physically protecting vessels, the United States used cyber weapons to impede Iran’s ability to track oil vessels passing through the region. According to the New York Times and corroborated by the United States Cyber Command, the United States’ cyber operations destroyed both data and communication sources Iran used to identify and track oil tankers and other ships passing through nearby waterways.68 Iran denies any involvement in the oil tanker attacks. Instead, Iran blames outside Middle Eastern groups with whom it has no involvement. Iran claims to be a victim of Western propaganda and targeting used to justify cyber and military operations.69
In February 2015, the cybersecurity firm Kaspersky’s Global Research and Analysis Team (GReAT) published a white paper documenting an espionage group it dubbed The Equation group.70
Kaspersky’s GReAT is well known for its research about cyber espionage. It has released many in-depth analyses over the years, often making headlines with its findings. GReAT dubbed this particular group “Equation” due to the group’s advanced multilayer encryption techniques, which are all based on mathematics. The discovery was significant, as the malware, infrastructure, and operations dated to 1996, making Equation one of the oldest and most experienced espionage groups to date.
The group’s discovery originated from malware secretly placed on CDs that were distributed at a Houston-based international scientific conference. A scientist who, for anonymity purposes, used the pseudonym “Grzegorz Brzęczyszczykiewicz” received one of the CDs. When inserted into his computer’s hard drive, covert malware executed, compromising his system. Not only did the malware provide the Equation group with access to Brzęczyszczykiewicz’s computer, it also let them into his employer’s network.
It is unclear how Kaspersky’s GReAT received the CD from Brzęczyszczykiewicz, but once it did, extensive analysis began. Initially, the malware analysis proved difficult, as every aspect of Equation malware had been encrypted, making it extremely difficult to understand.71 But GReAT’s persistence in reverse-engineering paid off. The team discovered the code on the CD that exploited several zero-day vulnerabilities. Finding that it used multiple zero-days is substantial, since before Equation, Stuxnet was the only malware seen with this level of exploitation capability.
In addition to the exploits, the malware used a novel method to compromise the victims. After gaining access, it infected the firmware to gain full control of the host system. With elevated privileges, the malware installed a Virtual File System used to steal data from the victim system. Additionally, GReAT identified other versions of the malware designed to compromise macOS, the operating system that runs Apple computers, and iOS, the operating system running Apple iPhones. Most espionage malware discovered in the wild up to this point had exploited Microsoft Windows computers. This pointed to the Equation group’s apparent deep resources.
GReAT’s parent company, Kaspersky, had a large endpoint protection business, which generated a large pool of data every time its software identified malicious activity. Once it had analyzed the malware, Kaspersky created signatures that could detect it, something that no other vendor at the time could do. This allowed GReAT to search through years of data and identify historical instances of Equation malware and associated activity. GReAT could determine both the victim’s identity and location but did not name them publicly.
Next, GReAT looked into the cyber infrastructure with which the Equation malware communicated. The team identified both active and inactive C&C servers based on registration patterns, historical hosting, and malware communication beacons. Using a technique called sinkholing, GReAT took ownership of a small percentage of the malware’s communications and data behind it. Sinkholing is when a defender isolates communications intended for adversary infrastructure and redirects them to their own infrastructure for defensive and analysis purposes. Figure 1-3 provides a visualization depicting the sinkhole concept.
The flow of data traversing points A, B, C is represented by the solid arrows. The segmented arrows represent the change in data transmission that takes place by the sinkholing of a domain.
Kaspersky’s GReAT leveraged sinkholing to gather additional intelligence on Equation group activities, beyond what it had learned through analysis of its data. Additionally, the team identified a number of Equation C&C domains in which the registration had expired. Reregistering the expired domains allowed GReAT to stand up expired infrastructure. The malware still active in the wild that had been configured to “talk” with the domains before they expired still existed from previous operations and remained undetected on victim systems. Once the expired infrastructure came back online, the malware reconnected and once again began transmitting victim data. However, this time, GReAT was on the other end of the connection to receive and analyze the data.
In all, at the time the research concluded in 2015, GReAT had found that the Equation group had compromised more than 500 systems across 42 countries. Countries with high infection rates included Russia, Iran, China, and several more. Once the team had analyzed this data, it categorized the victims by country and industry. These victims included organizations working in government, military, aerospace, nuclear research, telecoms, and cryptographic technology, among others, which is a pattern that aligns with nation-state targeting.
Unfortunately, GReAT did not disclose who it believed was behind Equation’s operations. Nevertheless, think tanks such as the Council on Foreign Relations72 and media organizations like Wired73 claimed a U.S. intelligence agency conducted the attacks. The attribution arose from the Equation group’s access to zero-day exploits and malware strings written in the English language. And two elements identified by GReAT supported these attribution theories. First, GReAT found Equation malware on several Stuxnet “patient zero” victim systems prior to the Stuxnet attacks. In other words, Equation may have been responsible for the early operations and reconnaissance of Iranian victims as a precursor to the Stuxnet operations.74 Second, several of the zero-days originally identified in the Stuxnet malware had been leveraged by the Equation group over a year prior to its use in Stuxnet operations. While it’s possible to dispute the evidence that a U.S. intelligence agency orchestrated the attacks, it was clear the same central organization was behind both Equation and Stuxnet operations.
Stuxnet and Equation shared several components, including their designs, exploit use, and targeting. A third malware variant discovered by Symantec yielded the same modular design and comparable advanced capabilities. The malware, known as Regin, has been in existence since at least 2008 and was used to attack researchers, governments, businesses, and critical telecommunications infrastructure.75
Regin, however, differed from the other malware families discussed, because it wasn’t designed to compromise a single host; instead, it implemented a framework used for launching sustained intelligence-gathering operations. For example, one of the malware’s modules can monitor and capture web server traffic from Internet Information Services (IIS), while another can parse mail from email Exchange servers. Arguably the most impressive module allows for the collection of traffic from GSM base station controllers.76 This capability enables the attacker to spy on mobile phone networks, something no other malware discussed in this book can do.
In addition to these unique capabilities, the sheer number of tools in Regin’s framework allowed attackers to execute an attack across entire enterprise environments. It provides remote access; then it can steal passwords, capture keystrokes, and even take screenshots of the victim’s computer. Once in a system, Regin isn’t locked into using a single payload, like most malware. Instead, it can load any of numerous payloads to fit the situation, making it a threat to targets in almost any environment.
Regin appears to have been most active in Russia, providing an important clue as to its origins; nation-state targeting follows the controlling nation’s political and military agenda. Often, targeting can identify the motivation and political views the attacking country aligns with.
Few details exist about the victims of attacks involving Regin malware—except for one. The attack involved Belgacom, a large telecommunications company in Belgium. Belgacom handles communications across the world and has international data links serving millions of customers throughout Europe. The attack, first detected in 2013, began in 2010 and transpired over multiple stages that took place over several years.77 It is unclear how the attacker initially gained access to the network. However, the infection compromised both Belgacom’s corporate and customer-facing systems, providing access to Belgacom’s sensitive communications data. According to several European-based media organizations, some of the primary targets within Belgacom’s communication infrastructure were the European Parliament, European Council, and European Commission.78
This Regin attack continues to pose problems. Once discovered, Belgacom began a significant cleanup operation to mitigate the attacker and their access, costing the company millions. Yet according to reporting from The Intercept, the cleanup operation may have failed, leaving the attacker with a stealthy foothold to continue operations. Publicly, Belgacom disputes the claim, making it challenging to know if the attacker still has access.
Another problem is that Belgacom, and any other organization infected by Regin, has no idea exactly what data the attacker stole. One of the reasons victims are in the dark is due to Regin’s method of storing and exfiltrating stolen data. Regin stores victim data in memory and then transfers it to an attacker-controlled server without ever writing to the victim disk. While other malware has used memory to store small amounts of its own code, it’s rare to see memory used to collect and store stolen victim data. To do so presents several technical difficulties the developers had to address for this technique to execute successfully. While novel and rarely seen, storing victim data in memory instead of the hard disk prevents defenders from using forensics to determine what data the attacker is stealing or is interested in. If the defenders can evaluate the contents of stolen data, they can determine the attacker’s motive and assess the severity of the breach.
Regin also uses a clever method to exfiltrate data. Before exfiltration, Regin encrypts the data with a custom RC5 cypher. Then it leverages the Internet Communication Management Protocol (ICMP), designed to report errors occurring between devices on a network, and embeds them within HTTP cookies, which are bits of data used by web browsers to store information about a user. Finally, it communicates with the attacker’s C&C server over custom ports. The attacker illegitimately took advantage of the method in which web browsers store data in cookies and used standard internal network management protocols to transmit between the Regin framework and infected hosts. This provided the attacker with a way to store and move data within the victim’s network and used custom encryption techniques, making it difficult to decipher even if found. Using traditional internet and network components in a nontraditional method to exfiltrate data secretly speaks to Regin’s developers’ advanced thinking.
The Regin malware has two known versions. Version 1.0 actively existed between 2008 and 2011. Despite being used in targeted attacks for several years, it went undiscovered and undetected by security vendors and their defensive software, something extremely rare. Another unique and interesting event involving Regin took place in 2011, years before its discovery. In 2011, before version 2.0’s operational use, version 1.0 samples appear to have intentionally been removed from existence. In other words, the controlling entity behind Regin made a deliberate effort to delete all traces of the malware from victim and malware repositories across the internet.79
Keep in mind only highly targeted attacks leveraged the Regin malware, leaving a small footprint across the internet. One attack, let alone several over three years, would be hard to eradicate from existence, yet, with a few exceptions, the controlling entity behind Regin almost pulled it off. Few samples exist in comparison to the number of operations believed to have taken place. The limited samples found in the wild exist only because the attackers made mistakes during the removal process or lost access to the environment before its deletion.
Regin’s background cannot be validated, although based on its similarities to other Western-based malware, including its advanced capabilities and design, many believe Regin, like Stuxnet, originates from the United States’ intelligence agencies. Others speculate a British origin.80 Proponents of a third theory claim that Regin malware and operations are part of a joint operation between the two countries.
Until Kim Jong-un assumed power over North Korea in 2011, the country had barely any connection to the internet, let alone the rest of the world. The previous ruler, Kim Jong-il, who was Kim’s father, had strengthened the country’s military through equipment and human capital. But unlike his father, Kim Jong-un spent several years outside of North Korea, studying computer science at the International School of Bern. Likely influenced by his academic background, he appeared to realize the power of a cyber army early into his dictatorship and began developing North Korea’s offensive cyber capabilities.
Today, North Korea obtains internet access and offensive cyber training through both China and Russia, according to media reports. In addition, a defector from the country has claimed that North Korean hackers train in cyberwarfare at two North Korean colleges.81 The internet access and cyberwarfare have allowed North Korea to steal money from financial institutions through cyber operations, enabling financial growth despite the heavy economic sanctions in place. Those sanctions, imposed by the United States and United Nations, were intended to force the country to end its nuclear program, which the stolen funds have supported.
The sanctions and restrictions motivate North Korea to continue its attacks against the rest of the world. As long as it can survive economically, the cyberattacks will likely continue.
North Korea’s offensive cyber operations appear to fall under the purview of its Reconnaissance General Bureau (RGB), the country’s intelligence agency, and, in particular, a division known as Unit 121.82 According to a Reuters interview with a North Korean defector, Kim Heung-Kwang, Unit 121 had approximately 1,800 cyber soldiers at the time of his interview in January 2015. Since then, the unit has grown and is now believed to host between 3,000 and 6,000 hackers.83
Strangely, Unit 121 works out of a hotel in Shenyang, China, that is mostly owned by a North Korean business entity. The primary investor, Dandong Hongxiang Industrial Development, is a Chinese company with a history of doing business with North Korea, despite facing sanctions from the United States. In 2019, the company’s owner and top executives were indicted by the United States on charges that they conducted “illicit financial dealings on behalf of sanctioned North Korean entities that were involved in the proliferation of weapons of mass destruction.”84
Beyond Unit 121, the RGB has several other units that support its cyber operations: Unit 180, Unit 91, and Lab 110. Each has a separate mission that supports the RGB. At least one unit is responsible for intelligence collection and analysis, while another focuses on hacking and attack operations.85 For example, Unit 180 specializes in targeting financial technologies and systems, while Unit 91 is responsible for hacking and stealing technologies related to nuclear and long-range missile systems. While public details on these units primarily originate from defector testimonies, it is clear that North Korea uses cyberattacks to develop its military, economic, and intelligence-gathering capabilities.
Between 2009 and 2013, North Korea conducted denial of service against financial institutions, government organizations, and broadcasting organizations, many of which were crippled by destructive malware that wiped out their infrastructure, leaving long-term losses.
In 2014, North Korea conducted one of its most notable attacks against Sony Pictures Entertainment, bringing the company to its knees. As mentioned in this book’s introduction, it published sensitive corporate emails, including salaries and details related to various films in development. Movies that would have made the company millions of dollars were publicly released for anyone to download and view free of charge. The company terminated employees over the devastating attacks.86 Meanwhile, cast and production costs for the released films, which also reached into the millions, had yet to be paid.
To make matters worse, the attacker soon launched a second stage of its assault: sabotage. On November 24, the attacker used custom wiper malware known as Backdoor.Destover to delete computer and server data and destroy Sony’s internal infrastructure, leaving it with no choice but to shut down operations. The company hired a third party, Mandiant, to clean up and mitigate the threat from Sony’s network. However, by this time, the damage was done, and the company’s stock and public reputation took massive hits.
North Korea has also conducted long-term cyberattacks against financial institutions, which we discuss in Chapter 2.
Nation-state attacks require a different approach than most threats. As shown in the examples discussed in this chapter, nation-state attackers have very different motives, and resources available to them, than typical threats, and they almost always conduct longer-term, advanced attacks. For these reasons, investigating nation-state attacks usually requires more time and resources. Unfortunately, when handled incorrectly or treated like an average threat, they can have devastating effects on victim organizations. Taking the time to understand potential adversarial nations can provide an advantage to defenders in tracking, comprehending, and mitigating nation-state attackers.
Most analysts who specialize in nation-state attacks cover specific geographical regions or countries. These experts require greater knowledge and understanding of the adversary than most threat analysts, as they need to understand the political and military motivations of the attacker and remain up-to-date on the country’s current events. A strong understanding of these areas helps identify countries that could have benefited from the attack. Such an understanding of the political and military climate of the area of interest can also help to identify or validate possible fake personas, false flags, and disinformation campaigns associated with nation-state attacks.