State Actors and Cyber-Espionage: Computer Warriors vs. Your Business

In the 1995 spy thriller Goldeneye, Russian operatives and a Russian crime syndicate team up to steal a space weapon so they can send a massive electromagnetic pulse to Earth, knocking out financial and defense networks and crippling the free world. To defeat them, James Bond has to bungee jump off a Soviet dam, free-fall to catch an airplane in mid-air, and chase bad guys across three continents. In today’s reality, nation-states and their criminal partners can disrupt commerce and defenses in the free world from the safety and comfort of their computer desks. Their prime targets are not top-secret space weapons but everyday businesses and business systems, and not even James Bond can stop them. Businesses of all types and sizes can become targets of cyber-espionage, so it is up to every business decision-maker to understand the threats.

In the first two parts of this three-part series, we looked at the economics of cyber-crime and the workings of the Dark Web, the supplier, training ground, and marketplace of cyber-crime. In this article, we’ll look at the why and how of cyber-espionage, and how businesses can prepare for potential cyber-attacks.

The Non-Nuclear Option

In a June interview[1], David Sanger, national security correspondent for the New York Times, argued that for hostile foreign governments, cyber-espionage is a cheaper and more effective way to disrupt enemies than a nuclear program. A nuclear program is expensive, relatively easy to track, and invites sanctions, while cyber-espionage costs no more than a few computers and competent hackers, it can cause spectacular economic, military, and political damage, and there is plausible deniability.

Classic spy thriller plots have military targets, but cyber-espionage today is more typically aimed at disrupting or embarrassing a foreign government or company. The 2014 Sony breach, pinned on North Korea by the National Security Agency, was in retaliation for an unflattering portrayal of the country in a soon-to-be-released film. Among other things, the hackers released personal emails from Sony executives and personal information of celebrities who have worked with Sony. But the follow-up reports on the breach reveal that this was not an isolated incident of cyber-espionage. A New York Times article quoted a Korean defector who said that in the early 1990s, North Korea had learned from China how to use computers to attack the government’s enemies and that North Korea’s “computer warriors” were sent to China and Russia for training. Another Korean defector noted that “Unlike the North’s nuclear and ballistic missile programs, the cyber forces can be used to harass South Korea and the United States without risking a devastating response.” Over the past 20 years, the skills of state-sponsored cyber-attackers have been honed to surgical precision, helped along by the tools and training available on the Dark Web.

Cloak and Ledger

Just as cyber-espionage is safer and cheaper than nuclear warfare, cyber-espionage against businesses is safer, easier, and often more effective than targeting governments. While “cloak and dagger” used to be the M.O. of spying, in the post-Cold War era, industrialized nations compete for world dominance in economic markets, so cyber-espionage is being used against businesses to gain competitive advantage. The first case brought by the U.S against state-sponsored cyber-espionage has revealed that China-sponsored hackers gained access to networks at numerous American companies, including U.S. Steel; Alcoa; Allegheny Technologies (ATI); Westinghouse; United Steelworkers, the biggest industrial labor union in North America; and the U.S. subsidiary of German solar-panel maker SolarWorld. According to a report in MIT Technology Review, the agents stole thousands of e-mails about business strategy, documents about unfair trade cases some U.S. companies had filed against China, and designs for nuclear power plants, all allegedly to benefit Chinese companies.

In addition to gaining industrial secrets, data stolen in cyber-attacks on businesses can be used to support the programs of hostile nations. Physical warfare is expensive, whereas cyber-warfare can be self-funding if state-backed hackers monetize stolen data on the Dark Web.

Cyber-warriors also target small and mid-size businesses because they tend to have weaker defenses than critical government or military organizations. Business systems now connect with partners of all sizes, so a mid-size or small business network may provide the opening that offers cyber-attackers a path into a business partner’s networks, either immediately or in the future. According to Gary Loveland, a principal in Pricewaterhouse Cooper’s Consumer, Industrial Products and Services group, “Today’s hackers are farsighted and more tenacious now when it comes to midsize and smaller companies. They might hack a high-tech startup, thinking, ‘When you get bought by a big company, the first thing you’ll do is connect to their networks, and then, bam! I’m in.’ You don’t want your company to be that conduit.”[2] Smaller organizations can also hold personal data on customers or employees that could be used to coerce individuals into revealing security codes and other sensitive information. For example, if medical records revealed an official in a key position had an alcohol problem or financial records revealed a gambling problem, that person might be coerced into revealing industrial plans, network passwords, or other sensitive information.

Everyday Hacks

Part of the beauty of cyber-espionage, from the standpoint of nation-states, is that it uses the same methods as any other kind of cyber-attack—skills, tools, and techniques that are abundantly available and hard to distinguish from any garden-variety cyber-criminal. However, cyber-espionage attacks are more likely to be multi-stage as opposed to attacks by cyber-criminals seeking saleable information such as credit card numbers or medical records. For example, an attack might start with spear phishing, an e-mail spoofing fraud to gain user passwords or other confidential data, or a watering hole attack, hijacking of a legitimate community of interest site, to introduce malware to the computer or device of employees or customers. From there, the attackers will go on to quietly explore the compromised networks, looking for additional vulnerabilities and back doors into the networks of business partners and data that may be useful for competition or coercion. While the common cyber-criminal may “smash and grab” for a quick payoff, and hacktivists may quickly publicize stolen data to embarrass the target, cyber-spies play the long game.

Spy vs. the Back Office

The office of counter-intelligence does not show up in the org chart of the average business, so how can an organization defend against the growing threat of cyber-espionage? The good news, again, is that the tactics of cyber-warfare are the same as any other kind of cyber-crime, even if the ends are different, so defensive best practices are also the same. The key element is awareness.

When you conduct your risk analysis, think about how your organization might be targeted by state actors. Consider which employees, customers, or business partners might have access to particularly sensitive data and which might be most vulnerable to coercion, and capture that information in your risk profile. (For example, staff members who hold network passwords should always be considered as potential targets.) Identify the data that might be targeted for cyber-espionage and figure that into your spending priorities for security programs. Because most cyber-espionage attacks are multi-stage, you need awareness programs and training programs to help employees and possibly customers avoid becoming victims of social engineering, and you should keep them informed about new social engineering scams. (Part 2 of this series, listed some good resources for news on security threats.) And finally, figure cyber-warfare into your incident response plans, as you would for any other breach risk. What partners and agencies would need to be brought into an investigation, and which should be notified right away? How can you protect breached individuals against coercion? How can you mitigate damage from stolen information? These can be tough questions, and the answers won’t always be obvious, but the threats are real, and national security and your organization’s survival may rest on them.