Report outlines cyber activity from top U.S. adversaries
- By Mark Pomerleau
- Feb 04, 2016
Cyber activity by other nation states, including potential adversaries of the United States, picked up considerably over the past year, as a new report details.
Secretary of Defense Ashton Carter this week previewed the Defense Department’s forthcoming budget proposal, which requests increased funds to deal with “high-end” enemies such as Russia and China, but he also noted that the department cannot maintain a singular focus on adversaries because of the threats from other nation states such as North Korea and Iran, as well as non-state groups.
The cyber intelligence firm CrowdStrike, recently released its 2015 Global Threat Report outlining the activity of criminals, hackers, non-state actors and nation states in cyberspace. A few highlights:
Last year, China was focused on the acquisition of personally identifiable information both for a database to be used against adversaries for various purposes and potentially to inform its own domestic government service restructuring, specifically in healthcare. China has employed spear phishing campaigns to gain access to networks and exfiltrate information, the report said.
Additionally, the report noted that China over the last year aggressively pursued a concept of “cyber sovereignty” to such an extent that it deployed offensive tools such as the “Great Cannon,” which reportedly bolsters its censorship efforts while increasing its ability to carry out cyberattacks.
CrowdStrike said that it observed a significant amount of cyber reconnaissance and phishing campaigns that targeted rival claimants opposed to China’s building of artificial islands in the South China Sea.
In terms of Russia’s main efforts in cyberspace last year, CrowdStrike said common themes associated with intrusion campaigns included “[i]nternational conflict, balance of power, energy issues, and the economy.”
Russia and supposed sympathetic groups involved in fomenting unrest in Ukraine have used cyberspace to achieve goals in both overt and clandestine activities. Overt activity has been conducted by a group called CyberBerkut that “might not be directly linked to actors operating on behalf of the Russian Federation, [but] their actions do closely align with the interests of the motherland,” and include disinformation, distributed denial of service attacks and intelligence gathering against Ukrainian targets.
CrowdStrike believes that CyberBerkut is associated with Russian state security, given that there were specific correlations with CyberBerkut’s interference with Ukraine’s elections and messages delivered by Russian state media, as well as parallels to cyber activity employed by CyberBerkut and Russia during the conflict in Estonia in 2007. “CyberBerkut will likely continue to pose a challenge for stability and security within the region, particularly with regard to military forces, diplomatic missions, contractors, and business interests operating in Crimea,” the report said.
Clandestine activity on the other hand involved malware deployment for intelligence collection while potentially also possessing capabilities to destroy data and elicit physical impacts. The report noted that Russia has employed traditional military tactics in its intervention in Syria.
Other actors within Russia have employed spear phishing campaigns against the energy sectors of organizations in the Middle East, non-government organizations in Europe and the Chinese military establishment.
North Korea focused more on intelligence gathering as opposed to more offensive cyber operations in 2015, directed mostly toward its southern foe, South Korea. “North Korean cyber activity in 2015 fits into three categories by virtue of the malware that was used,” the report stated. “Milmanbag was identified being used against targets in South Korea at the beginning of 2015. Hawup utilized previously unknown vulnerabilities in a popular Korean language word processor to deploy. AIMRAT is closely related to the infamous Operation Troy. One notable point is that all three malware families were heavily deployed in August 2015 when relations between the North and South were most strained.” Operation Troy was the group responsible for the damaging “Dark Seoul” cyberattack on South Korea beginning in 2009.
“A major shift in Chinese support may cause the DPRK to seek a more aggressive cyber posture, on the high end as a preparation for military readiness and on the low end as a means to reiterate its demands on the international stage by provoking western powers. It also cannot be dismissed that DPRK cyber operations may further branch out into criminal activity as a way to increase the regime’s financial position,” the report said.
With Iran’s compliance in the nuclear accord struck between the Islamic republic and six world powers over the summer to curb Iran’s nuclear program, the country received substantial relief from sanctions associated with its nuclear program. As a result, there will likely be an influx of western influence given the myriad business opportunities engendered by the sanctions relief, an influence the repressive and anti-western Iranian theocratic regime will likely use cyber means to combat, CrowdStrike said.
Iran has also been leaning toward regional hegemony in the past few years, attempting to spread its influence throughout the Gulf region in conflicts ranging from Yemen to Syria. Given these aspirations, CrowdStrike noted that part of Iran’s 6th Five-Year Plan indicate it wants to improve national cyber capabilities. Key focuses as part of this effort include increased infrastructure investments in the information, communication and technology sector, as well as an allocation of 5 percent of the public budget for defense and security. “In accomplishing this, the objective is to create a soft power capacity and provide cyber defense and cyber security defense for infrastructure,” the report stated.
In general cybersecurity terms, CrowdStrike noted that “2015 was an active year for cyber crime. CrowdStrike observed growth in the popularity and sophistication of banking Trojans, ransomware, and exploit kits,” as well as an increase in hacktivist or non-state actor activity in cyberspace.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.