State vs. non-state hackers: Different tactics, equal threat?

Recent cyber incidents from state and non-state actors demonstrate the real threat each pose and shed light on the difference in tactics.

Within the last six months, a number of embarrassing cyber intrusions involving government systems have come to light. The government revealed only recently that the State Department and White House unclassified email systems were breached sometime last year by Russia, personal information on about 22 million was taken from the Office of Personnel Management database, reportedly by the Chinese, and most recently, the Joint Chiefs of Staff unclassified email system was breached. (Russia again). Other nation states such as North Korea have also jumped into the fray – allegedly hacking Sony Pictures last fall.

In addition to those breaches, the United States was hit with other acts that could be called cyber vandalism, such as the hacks into the Central Command’s Twitter page by pro-ISIS hackers. Hackers claiming to be directly involved with the terror group recently said they obtained the personal information of service members and disseminated it to be used for future attacks against such individuals, for retaliation against U.S. military strikes against ISIS positions in Iraq and Syria. According to initial reporting by NBC News, ISIS claims to have obtained names, emails, passwords and phone numbers from individuals in the Air Force, Marines, NASA and the Port Authority of New York and New Jersey, though noted it is not clear how recent the information is or if the email addresses are still valid. 

This follows a similar incident in the spring in which pro-ISIS members claimed to have hacked Pentagon servers to gain biographical information for service members, a claim that turned out to be specious at best, as the hackers obtained the information through Google searches.

Cyberspace is simply another operational domain being utilized by both state and non-state actors and much like in the physical space, the tactics, targets, information and general operation by each in cyberspace are different.

Tip of the spear

For example, the hack against the Joint Chiefs was described as one of the most sophisticated attacks ever.  However, it did not deviate from what has become a hallmark of Russian hacking abilities – a tactic called spear phishing, which was also used in the incident that took place last year against the State Department and White House systems. Spear phishing involves emails that appear top come from a trusted source that try to lure people into clicking on a link andn ultimately revealing their passwords or other information. Hackers mcan then use that information to infiltrate a network.

“Practice makes perfect,” Ryan Kazanciyan, chief security architect at Tanium, a cybersecurity company, told Defense Systems regarding Russia’s history with such phishing campaigns. He added that groups are very familiar with how to gain access into environments such as closely guarded government networks. The key, he said, is that the entire system does not have to be compromised up front – once a particular corner of the network is compromised, hackers can then move laterally and eventually up the chain to more high-value individuals or targets. Last year, for example, Russian reportedly lifted the president’s daily schedule, with is not classified is not made public.

In the case of the OPM hack, hackers purported to be with the Chinese government – the U.S. has not publically named China as the culprit – stole the information for intelligence purposes. There are myriad uses for the information taken from OPM; the military and intelligence blog War on the Rocks identified nine of them:

  • Identify undercover officers
  • Neutralize U.S. government officials
  • Threaten overseas family members
  • Harass clearance holders or their families in the United States
  • Wire you for sound
  • Figure out exactly what it takes to get a security clearance
  • Publish the data
  • Guess passwords
  • Spear phish.

The intent for nation states in orchestrating hacks are more traditional, such as long-term intelligence, Haiyan Song, vice president of security markets at Splunk, a global software firm, told Defense Systems. Such intelligence troves will help nation states better plan and prepare for future operations and counter operations against the United States. Even unclassified information taken in aggregate can provide attackers with a valuable amount of knowledge, such as travel plans and other indicators taken from conversations and data, Kazanciyan said. Although classified information is better protected, hackers often are able to stay under the radar in unclassified networks, giving them a long-term view of activity.

NBC News recently reported  that Chinese officials have had access to emails from top U.S. national security and trade officials dating back to 2010. Chinese attackers also gained access to email address books, which allowed for more efficient targeting in the way for more authentic looking and better cloaked phishing and malware attacks on friends and colleagues. 

Getting personal

Attacks from non-state actors, on the other hand, tend to serve the purpose of coercion and personal gain.  While nation states are motivated by geopolitics and deterring other states, non-state actors have typically been motivated by financial gains and ideology, Song said. In the case of the attacks by pro-ISIS sympathizers and members purported to be associated with the group, the information they made public – names and contacts of military personnel and their families – serves as retribution for military action and coercion to cease such behavior. 

The Defense Department is holding its cards close to its chest, not devolving much information about the incident. It still is not clear if any Pentagon systems were actually breached. “I don’t want to downplay the incident, but this is the second or third time they’ve claimed that,” Army Chief of Staff Gen. Ray Odierno told reporters at a Pentagon briefing a day after the incident was reported. Odierno said that in the first two incidents, the lists published by hackers were not taken via cyber attack. Rather, the lists were separate from the networks. “So far, I have not seen the list myself, but what I believe is that this is no different than those other two times,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do. And so it’s important for us to make sure that all our force understands what they’re trying to do – even though I believe they have not been successful with [what they are] claiming.” 

It is still unclear if non-state actors such as ISIS have the capabilities that nations such as Russia or China have—global security firm Flashpoint Intelligence agreed that the group’s claims of Pentagon network intrusion were likely overstated—but their attempts do raise concerns about potential damage coming from so-called lone-wolf attacks.

Different language

One common difference between non-state-actor phishing campaigns and the targeted spear-phishing campaigns like the one targeting the Joint Staff is language. A lot of non-state phishing features emails with grave spelling and grammar mistakes, because they are targeting individuals that cannot necessarily tell the difference. Nation states will hire linguists to increase the authenticity of the phishing emails. It’s not necessarily a deficiency in the capabilities of non-state actors vis-à-vis nation states, but different targets and resources. 

Another difference: While nation states typically don’t advertise their intelligence victories—in fact, they typically issue firm denials—non-state actors are more willing to brag about their successes in cyberspace if it serves their cause, Song noted.

The hack of Sony pictures by North Korea, however, was something of a hybrid. At the Aspen Security Forum recently, Adm. Michael Rogers, head of U.S. Cyber Command and the National Security Agency, said that what was most unique about the Sony hack was the publicity and build up. North Korean was upset over the pending release of “The Interview,” a comedy about a plot to assassinate North Korean leader Kim Jong-un. Rogers noted how the North Koreans, leading up to the incident, were threatening to do something – and they eventually did. This was important because the North Koreans used cyber for coercion – don’t do something, in this case, don’t release the movie.

In fact, this incident demonstrates a potential blurring of lines between state and non-state actor targets, tactics and intents. “The state actors, sometimes they go steal intellectual property and they steal trade information that helps them to become more economically competitive,” Song said. Non-state actors utilize similar practices to serve their ideological beliefs, to air grievances, or gain publicity behind their causes. Additionally, some states have even begun to hire hackers to do their bidding as a means of complicating the attribution problem further. 

While states probably have the greatest capacity and the most sophisticated technologies at their disposal to conduct attacks, not to mention greater government protection from prosecution, non-state actors might be just as capable, though in a different way. In terms of expertise, non-state actors’ ability to collaborate with each other more easily could afford them more threatening capabilities, as they can come up with new techniques and malware through the network they have developed, Song said.

Between state and non-state actors, “I don’t really see a big gap from a technology and skill perspective,” Song said.         

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.